Be careful with yesterday’s post
Posted by David Chandler on February 23, 2010
Just in case you missed the comments on yesterday’s “Generic” Objectified ActionHandler, the example code potentially exposes your Datastore to hackers who can spoof or otherwise modify GWT-RPC requests. Be sure to read the comments, and if you’ve never seen Paros, TamperData (Firefox plug-in) or the like, you might want to check those out to see just how easy it is to modify Web requests in ways the developer did not intend. It’s not as easy to modify GWT-RPC because it’s a binary (serialized) protocol, but it’s not encrypted so it certainly is possible.
Bottom line: your server-side code should always check user permissions one way or another. SecureDispatchService (gwt-dispatch) will restrict access to ActionHandlers to only authenticated users, but depending on how many hackers you have in your user base and how private the data needs to be, you may need additional permission checking on each persistence-related action.
You have been warned.