Forgot to add - I have been using the RequestBuilder + JSON + Javascript Overlays for quite a while now. We use sessions just for the authentication piece, but otherwise our setup is RESTful.
You can go to a complete RESTful approach by - a) Using HTTP basic or digest authentication over HTTPS (don't do this over http), AND, b) Using custom http request header to prevent CSRF. RESTful services + JSON is possible, but, IMO, its better to stick with cookie-based tokens for authentication; while it isn't RESTful in the true sense of the word, its a good compromise. --Sri On 19 October 2010 00:20, Sripathi Krishnan <sripathi.krish...@gmail.com>wrote: > I don't think any truly RESTful back end can be secure with a GWT front >> end, because you need the back end to keep state to protect against XSRF. > > > You don't need to maintain state to prevent CSRF. If you set a custom http > request header and check its value on the server side, it will prevent CSRF. > The value can be hard-coded in the service, and does not have to be a > secret. > > This works because the only way to set a custom header is via > XmlHttpRequest. A CSRF request cannot use XmlHttpRequest because browser > same-origin policy will prevent it. This solution works as long as your > users are not using outdated versions of flash player (they had security > holes). > > Some threads which discuss this strategy - (using custom http headers to > prevent CSRF) > a) > http://stackoverflow.com/questions/2609834/gwt-rpc-does-it-do-enough-to-protect-against-csrf > b) > http://www.webappsec.org/lists/websecurity/archive/2010-09/msg00099.html > c) > http://michael-coates.blogspot.com/2010/05/csrf-attacks-and-forged-headers.html > > --Sri > > > > On 18 October 2010 22:57, Jeff Larsen <larse...@gmail.com> wrote: > >> Oh that looks really interesting Johan. Consider it bookmarked. >> >> Another project I'm looking at is Restlet, but I just don't have >> enough time to do all the necessary investigation. >> >> As far as preventing XSRF with REST... that is definitely a tricky one >> but not something that is absolutely necessary to figure out before my >> mid November deadline. >> >> >> >> >> On Oct 18, 9:50 am, Brett Thomas <brettptho...@gmail.com> wrote: >> > Looks like an awesome project, but again security is the issue for me. I >> > don't think any truly RESTful back end can be secure with a GWT front >> end, >> > because you need the back end to keep state to protect against XSRF. >> That's >> > why I thought RequestFactory had so much potential, if it could handle >> the >> > authentication and leave authorization to the REST back end. >> > >> > On Mon, Oct 18, 2010 at 10:32 AM, Johan Rydberg >> > <johan.rydb...@edgeware.tv>wrote: >> > >> > >> > >> > > Have you guys looked athttp://github.com/chirino/resty-gwt? >> > >> > > -- >> > > You received this message because you are subscribed to the Google >> Groups >> > > "Google Web Toolkit" group. >> > > To post to this group, send email to >> google-web-tool...@googlegroups.com. >> > > To unsubscribe from this group, send email to >> > > google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com><google-web-toolkit%2Bunsubs >> cr...@googlegroups.com> >> > > . >> > > For more options, visit this group at >> > >http://groups.google.com/group/google-web-toolkit?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google Web Toolkit" group. >> To post to this group, send email to google-web-tool...@googlegroups.com. >> To unsubscribe from this group, send email to >> google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/google-web-toolkit?hl=en. >> >> > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
