There was a security issue that we were made aware of up until 2.10: https://bishopfox.com/blog/gwt-unpatched-unauthenticated-java-deserialization-vulnerability https://github.com/gwtproject/gwt/issues/9709 https://github.com/gwtproject/gwt/pull/9879
This was fixed in the 2.10.1 and 2.11.0 releases - 2.11.0 was about to go out so we tacked on another change for it, and 2.10.1's only change was this same fix, backported. There are other future changes to restore the "enhanced classes" feature, but I haven't seen any serious interest in it, so we might not end up restoring it, but removing it entirely? https://github.com/gwtproject/gwt/issues/9880 https://github.com/gwtproject/gwt/issues/9881 On Monday, October 7, 2024 at 10:26:53 AM UTC-5 [email protected] wrote: > Love GWT RPC as its makes calling code on the server seamless. I was > reading however that it might not be secure (so issue with arbitrary code > execution). Im not a security expert Can someone give me the status of RPC > and the security issue with sending annotated POJOs? -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/6d9666d7-e28e-40a8-bb4b-bb8b584f9721n%40googlegroups.com.
