That's exactly what I was looking for. Thank you! On Wednesday, February 19, 2014 3:38:05 AM UTC-6, Thomas Broyer wrote: > > RPC.decodeRequest resolves the method from the interface: > > Method method = serviceIntf.getMethod(serviceMethodName, parameterTypes); > > so only methods declared on the interface can be called. > > On Wednesday, February 19, 2014 3:37:48 AM UTC+1, Matthew Wood wrote: >> >> I can't seem to track down the answer to this question. In GWT-RPC is any >> validation done to enforce that only methods in the RemoteService interface >> can be invoked? For example, if you had a public helper method in the >> RemoteServiceServlet that wasn't described in the interface could it be >> invoked by forging an RPC request? >> >> I'm trying to get a handle on what is exactly exposed in a >> RemoteServiceServlet and what enforces that exposure. I'm assuming a >> malicious client directly accessing the server and bypassing a provided >> client. >> >> I'd love to see the code that was responsible, too. I poked around >> com.google.gwt.user.server.rpc but could only find implementsInterface, >> which I don't think does what I'm asking. >> >
-- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscr...@googlegroups.com. To post to this group, send email to google-web-toolkit@googlegroups.com. Visit this group at http://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/groups/opt_out.
