Re: RequestFactory + Rest/JSON?
Thanks for that writeup Steve, really helpful. The main reason I avoid that setup is because of the extra work it'd require to add XSRF protections. I use GWT-RPC to send data (adding an additional XSRF token), then have the servlet call the REST back end. What do you think - have you dealt with this issue? Thanks, Brett On Wed, Oct 13, 2010 at 9:53 PM, Steve Moyer smoye...@gmail.com wrote: Has it ever been? ... I meant that you could pretty much do your REST/JSON with the RequestBuilder as shipped in GWT 2.x. Prior versions needed extra code around what was shipped. smoyer On Oct 13, 7:32 pm, Thomas Broyer t.bro...@gmail.com wrote: On 14 oct, 00:59, Steve Moyer smoye...@gmail.com wrote: I've been using RequestBuilder to access REST/JSON services since GWT version 1.7.0. [...] Wow ... that was a bit long-winded, but I think it's safe to say that REST/JSON with GWT is no longer the bleeding edge. Has it ever been?! I've been using the exact same approach since GWT 1.5.0 (with Spring Webscripts on the server side though; well, at the time they were Alfresco Web Scripts, not Spring Webscripts, and given that we haven't upgraded/updated the backend, they're still not Spring Webscripts, to be exact) -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactory + Rest/JSON?
Have you guys looked at http://github.com/chirino/resty-gwt ? -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactory + Rest/JSON?
Looks like an awesome project, but again security is the issue for me. I don't think any truly RESTful back end can be secure with a GWT front end, because you need the back end to keep state to protect against XSRF. That's why I thought RequestFactory had so much potential, if it could handle the authentication and leave authorization to the REST back end. On Mon, Oct 18, 2010 at 10:32 AM, Johan Rydberg johan.rydb...@edgeware.tvwrote: Have you guys looked at http://github.com/chirino/resty-gwt ? -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactory + Rest/JSON?
Oh that looks really interesting Johan. Consider it bookmarked. Another project I'm looking at is Restlet, but I just don't have enough time to do all the necessary investigation. As far as preventing XSRF with REST... that is definitely a tricky one but not something that is absolutely necessary to figure out before my mid November deadline. On Oct 18, 9:50 am, Brett Thomas brettptho...@gmail.com wrote: Looks like an awesome project, but again security is the issue for me. I don't think any truly RESTful back end can be secure with a GWT front end, because you need the back end to keep state to protect against XSRF. That's why I thought RequestFactory had so much potential, if it could handle the authentication and leave authorization to the REST back end. On Mon, Oct 18, 2010 at 10:32 AM, Johan Rydberg johan.rydb...@edgeware.tvwrote: Have you guys looked athttp://github.com/chirino/resty-gwt? -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2Bunsubs cr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactory + Rest/JSON?
I don't think any truly RESTful back end can be secure with a GWT front end, because you need the back end to keep state to protect against XSRF. You don't need to maintain state to prevent CSRF. If you set a custom http request header and check its value on the server side, it will prevent CSRF. The value can be hard-coded in the service, and does not have to be a secret. This works because the only way to set a custom header is via XmlHttpRequest. A CSRF request cannot use XmlHttpRequest because browser same-origin policy will prevent it. This solution works as long as your users are not using outdated versions of flash player (they had security holes). Some threads which discuss this strategy - (using custom http headers to prevent CSRF) a) http://stackoverflow.com/questions/2609834/gwt-rpc-does-it-do-enough-to-protect-against-csrf b) http://www.webappsec.org/lists/websecurity/archive/2010-09/msg00099.html c) http://michael-coates.blogspot.com/2010/05/csrf-attacks-and-forged-headers.html --Sri On 18 October 2010 22:57, Jeff Larsen larse...@gmail.com wrote: Oh that looks really interesting Johan. Consider it bookmarked. Another project I'm looking at is Restlet, but I just don't have enough time to do all the necessary investigation. As far as preventing XSRF with REST... that is definitely a tricky one but not something that is absolutely necessary to figure out before my mid November deadline. On Oct 18, 9:50 am, Brett Thomas brettptho...@gmail.com wrote: Looks like an awesome project, but again security is the issue for me. I don't think any truly RESTful back end can be secure with a GWT front end, because you need the back end to keep state to protect against XSRF. That's why I thought RequestFactory had so much potential, if it could handle the authentication and leave authorization to the REST back end. On Mon, Oct 18, 2010 at 10:32 AM, Johan Rydberg johan.rydb...@edgeware.tvwrote: Have you guys looked athttp://github.com/chirino/resty-gwt? -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.comgoogle-web-toolkit%2Bunsubs cr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactory + Rest/JSON?
Forgot to add - I have been using the RequestBuilder + JSON + Javascript Overlays for quite a while now. We use sessions just for the authentication piece, but otherwise our setup is RESTful. You can go to a complete RESTful approach by - a) Using HTTP basic or digest authentication over HTTPS (don't do this over http), AND, b) Using custom http request header to prevent CSRF. RESTful services + JSON is possible, but, IMO, its better to stick with cookie-based tokens for authentication; while it isn't RESTful in the true sense of the word, its a good compromise. --Sri On 19 October 2010 00:20, Sripathi Krishnan sripathi.krish...@gmail.comwrote: I don't think any truly RESTful back end can be secure with a GWT front end, because you need the back end to keep state to protect against XSRF. You don't need to maintain state to prevent CSRF. If you set a custom http request header and check its value on the server side, it will prevent CSRF. The value can be hard-coded in the service, and does not have to be a secret. This works because the only way to set a custom header is via XmlHttpRequest. A CSRF request cannot use XmlHttpRequest because browser same-origin policy will prevent it. This solution works as long as your users are not using outdated versions of flash player (they had security holes). Some threads which discuss this strategy - (using custom http headers to prevent CSRF) a) http://stackoverflow.com/questions/2609834/gwt-rpc-does-it-do-enough-to-protect-against-csrf b) http://www.webappsec.org/lists/websecurity/archive/2010-09/msg00099.html c) http://michael-coates.blogspot.com/2010/05/csrf-attacks-and-forged-headers.html --Sri On 18 October 2010 22:57, Jeff Larsen larse...@gmail.com wrote: Oh that looks really interesting Johan. Consider it bookmarked. Another project I'm looking at is Restlet, but I just don't have enough time to do all the necessary investigation. As far as preventing XSRF with REST... that is definitely a tricky one but not something that is absolutely necessary to figure out before my mid November deadline. On Oct 18, 9:50 am, Brett Thomas brettptho...@gmail.com wrote: Looks like an awesome project, but again security is the issue for me. I don't think any truly RESTful back end can be secure with a GWT front end, because you need the back end to keep state to protect against XSRF. That's why I thought RequestFactory had so much potential, if it could handle the authentication and leave authorization to the REST back end. On Mon, Oct 18, 2010 at 10:32 AM, Johan Rydberg johan.rydb...@edgeware.tvwrote: Have you guys looked athttp://github.com/chirino/resty-gwt? -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.comgoogle-web-toolkit%2Bunsubs cr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactory + Rest/JSON?
I looked in to this yesterday. Thomas Broyer posted a message on this group at one point that RequestFactory doesn't support a REST backend http://groups.google.com/group/google-web-toolkit/browse_thread/thread/f43a98bc56af0e91 I wonder if, since RequestFactory uses different interfaces on client and server, the server interface could be used to map directly to a restful server. I think this would be a really nice way to proxy a restful server on a different domain. I'm not that familiar with RequestFactory, though - would a setup like this make any sense? Anybody think it be a worthwhile project to take up? On Wed, Oct 13, 2010 at 12:03 PM, Jeff Larsen larse...@gmail.com wrote: I am beginning a new project and I was wondering what the options are for using JSON and REST as the protocol for using the RequestFactory. The framework I'm writing must be portable across multiple types of backend environments, Java, C#, PHP etc. In reading the docs/Ctrl+F I didn't find REST or JSON mentioned. What are my out of the box options for using JSON /Rest? -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactory + Rest/JSON?
It is something I know would be useful to me. I guess I'm pouring into the RequestFactory/RequestFactoryServlet code this weekend to see what it would take to make these compatible with RESTful services. On Oct 13, 11:14 am, Brett Thomas brettptho...@gmail.com wrote: I looked in to this yesterday. Thomas Broyer posted a message on this group at one point that RequestFactory doesn't support a REST backendhttp://groups.google.com/group/google-web-toolkit/browse_thread/threa... I wonder if, since RequestFactory uses different interfaces on client and server, the server interface could be used to map directly to a restful server. I think this would be a really nice way to proxy a restful server on a different domain. I'm not that familiar with RequestFactory, though - would a setup like this make any sense? Anybody think it be a worthwhile project to take up? On Wed, Oct 13, 2010 at 12:03 PM, Jeff Larsen larse...@gmail.com wrote: I am beginning a new project and I was wondering what the options are for using JSON and REST as the protocol for using the RequestFactory. The framework I'm writing must be portable across multiple types of backend environments, Java, C#, PHP etc. In reading the docs/Ctrl+F I didn't find REST or JSON mentioned. What are my out of the box options for using JSON /Rest? -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2Bunsubs cr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactory + Rest/JSON?
I've been using RequestBuilder to access REST/JSON services since GWT version 1.7.0. Back then, you had to extend RequestBuilder as it was limited to POST and GET (to be compatible with Apple's then non- compliance Safari browser). With both GWT 2.0.3 and GWT 2.0.4, I've been using GWT's included XHR methods (DELETE, GET, HEAD, POST and PUT) and haven't felt the need to extend RequestBuilder just to get a couple more methods (that I don't use) in the name of full REST compliance. I'm using JavaScript Overlays both for the creation and reception of my entity objects. I have to say that I'm quite pleased with this arrangement. Using CouchDB as a back-end, I can serve my GWT application as a CouchApp and use the same database to serve and store my entities (documents). To use a JavaEE server, I load my set-up my entities as EJB3 JPA objects, use Hibernate to get them from an RDBMS, convert them to JSON in the web server and provide them to the front- end in the exact same format as a document store (like CouchDB) would. The only gotcha that I've found (and it cost me a lot of time) is with the use of the PUT method while running GWTTestCases. Don't bother trying! Every other method works, but PUT needs to be fixed (and I haven't quite found it yet). See http://code.google.com/p/google-web-toolkit/issues/detail?id=4719q=PUT%20GwtTestCasecolspec=ID%20Type%20Status%20Owner%20Milestone%20Summary%20Stars for a description of this problem. As I was attempting to test my modules before they were integrated, this really hampered my integration testing. For acceptance testing, you can load your application up on HTMLUnit or JWebUnit and everything seems to work fine. You also have to be aware that JSONP is possible with GWT, but it's really not REST. Technically, you can only do GET methods (since the browser thinks it retrieving a page resource) and while you can fool it with a method override, that can be dicey. I'd recommend only using JSONP for retrieval of data from third-party sites (it's tempting to use JSONP to circumvent SOP ... don't do it). Wow ... that was a bit long-winded, but I think it's safe to say that REST/JSON with GWT is no longer the bleeding edge. Hope this helps, Steve Moyer -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactory + Rest/JSON?
On 14 oct, 00:59, Steve Moyer smoye...@gmail.com wrote: I've been using RequestBuilder to access REST/JSON services since GWT version 1.7.0. [...] Wow ... that was a bit long-winded, but I think it's safe to say that REST/JSON with GWT is no longer the bleeding edge. Has it ever been?! I've been using the exact same approach since GWT 1.5.0 (with Spring Webscripts on the server side though; well, at the time they were Alfresco Web Scripts, not Spring Webscripts, and given that we haven't upgraded/updated the backend, they're still not Spring Webscripts, to be exact) -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactory + Rest/JSON?
Has it ever been? ... I meant that you could pretty much do your REST/JSON with the RequestBuilder as shipped in GWT 2.x. Prior versions needed extra code around what was shipped. smoyer On Oct 13, 7:32 pm, Thomas Broyer t.bro...@gmail.com wrote: On 14 oct, 00:59, Steve Moyer smoye...@gmail.com wrote: I've been using RequestBuilder to access REST/JSON services since GWT version 1.7.0. [...] Wow ... that was a bit long-winded, but I think it's safe to say that REST/JSON with GWT is no longer the bleeding edge. Has it ever been?! I've been using the exact same approach since GWT 1.5.0 (with Spring Webscripts on the server side though; well, at the time they were Alfresco Web Scripts, not Spring Webscripts, and given that we haven't upgraded/updated the backend, they're still not Spring Webscripts, to be exact) -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.