> > I don't think any truly RESTful back end can be secure with a GWT front > end, because you need the back end to keep state to protect against XSRF.
You don't need to maintain state to prevent CSRF. If you set a custom http request header and check its value on the server side, it will prevent CSRF. The value can be hard-coded in the service, and does not have to be a secret. This works because the only way to set a custom header is via XmlHttpRequest. A CSRF request cannot use XmlHttpRequest because browser same-origin policy will prevent it. This solution works as long as your users are not using outdated versions of flash player (they had security holes). Some threads which discuss this strategy - (using custom http headers to prevent CSRF) a) http://stackoverflow.com/questions/2609834/gwt-rpc-does-it-do-enough-to-protect-against-csrf b) http://www.webappsec.org/lists/websecurity/archive/2010-09/msg00099.html c) http://michael-coates.blogspot.com/2010/05/csrf-attacks-and-forged-headers.html --Sri On 18 October 2010 22:57, Jeff Larsen <larse...@gmail.com> wrote: > Oh that looks really interesting Johan. Consider it bookmarked. > > Another project I'm looking at is Restlet, but I just don't have > enough time to do all the necessary investigation. > > As far as preventing XSRF with REST... that is definitely a tricky one > but not something that is absolutely necessary to figure out before my > mid November deadline. > > > > > On Oct 18, 9:50 am, Brett Thomas <brettptho...@gmail.com> wrote: > > Looks like an awesome project, but again security is the issue for me. I > > don't think any truly RESTful back end can be secure with a GWT front > end, > > because you need the back end to keep state to protect against XSRF. > That's > > why I thought RequestFactory had so much potential, if it could handle > the > > authentication and leave authorization to the REST back end. > > > > On Mon, Oct 18, 2010 at 10:32 AM, Johan Rydberg > > <johan.rydb...@edgeware.tv>wrote: > > > > > > > > > Have you guys looked athttp://github.com/chirino/resty-gwt? > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Google Web Toolkit" group. > > > To post to this group, send email to > google-web-tool...@googlegroups.com. > > > To unsubscribe from this group, send email to > > > google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com><google-web-toolkit%2Bunsubs > cr...@googlegroups.com> > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/google-web-toolkit?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-tool...@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
