Also, you are free to use the underlying RpcToken capabilities, which solves
the hard part of the problem (transparently adding a token to every RPC
request). You can use it to build on top of whatever session mechanism you
have now, like this:
// could also add @XsrfProtect and extend RemoteService instead if you
prefer
public interface MyService extends XsrfProtectedService {
...
}
MyServiceAsync svc = GWT.create(MyService.class);
((HasRpcToken) svc).setRpcToken(getTokenFromHostPageOrWherever());
public class MyServiceImpl extends AbstractXsrfProtectedServiceServlet
implements MyService {
protected validateXsrfToken(RpcToken token, Method method) {
// throw RpcTokenException if token is not valid
}
}
You already have to extend a particular base class for GWT RPC, to get the
serialization/deserialization, so extending a different one doesn't seem
much of a burden. I don't think there is going to be a "drop-in, zero
changes" XSRF fix that works with everybody's deployment strategies.
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
