You could have a look at https://docs.google.com/document/d/1eG0YocsYYbNAtivkLtcaiEE5IOF5u4LUol8-LL0TIKU/edit to see what GWT-RPC exchanges look like and see if they match what you're seeing. But they're not "binary".
I didn't follow what gRPC (Google's RPC format: https://grpc.io/) looks like on the web, but it's possible they use "binary" nowadays. On Friday, October 20, 2023 at 3:10:17 PM UTC+2 [email protected] wrote: > Dear Colin, > > thanks for the quick response. I did observe the authentication approach > via BurpSuite that allows me to investigate each HTTP / websocket request / > response. From this perspective, I can see that upon submitting my > credentials to the webapp, there is only one HTTP POST request from > client-side that only includes the username. After this initial POST > request, all the communication goes over websocket with binary blobs being > exchanged. Hence, it is not easy for me to identify which GWT library class > is in use. > > Is there any way how to get this information, (i.e. I could provide the > URL of the endpoint I am talking to). > > Best, > André > > Colin Alworth schrieb am Freitag, 20. Oktober 2023 um 14:55:53 UTC+2: > >> While GWT offers websocket support, the only support is "now you can send >> messages on a websocket" - no serialization is offered, beyond what the >> browser itself provides (allowing sending a utf8 string, arraybuffers, >> blobs, typedarrays, or arrayviews). How are you verifying messages >> sent/received? If you are observing some 3-4 websocket frame handshake >> messages on the websocket, that is probably some other GWT library in use - >> which WebSocket class are you using? >> >> I maintain (and use in production) an rpc-over-websocket implementation >> <https://github.com/vertispan/gwt-rpc>, but it does not explicitly >> support authentication. Instead usually the first message authenticates >> with the server, or HTTP headers are used to authenticate (potentially >> using existing cookies) before the websocket is even initiated. So at least >> we can probably rule out that implementation. >> >> See https://developer.mozilla.org/en-US/docs/Web/API/WebSocket for more >> information on what the browser's own WebSocket type offers. >> >> On Friday, October 20, 2023 at 7:31:03 AM UTC-5 [email protected] wrote: >> >>> Hi, >>> >>> I am very new to GWT and have questions about the basic principles of >>> how GWT via websockets work. >>> >>> I would like to analyze the authentication function of a given GWT web >>> application. When authenticating with my credentials, I could identify that >>> my credentials are sent via websocket in form of a binary blob. This most >>> certainly is a serialized GWT object. The authentication seems to follow a >>> protocol that involves 3-4 messages exchanged with the server-side. >>> >>> Hence, I strive to understand how the client-side transforms my textual >>> credentials (username / password) into this binary blob. Subsequently, I >>> would like to understand how I can deserialize messages coming from the >>> server in order to get a better idea of the messages exchanged and hence >>> the protocol. >>> >>> Thanks, >>> >>> André >>> >> -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/f0f3a831-9c9a-47d0-a647-3db32e6d5e07n%40googlegroups.com.
