David Chandler's Journal of Java Web and Mobile Development

  • David M. Chandler

    Web app developer since 1994 and Google Cloud Platform Instructor now residing in Colorado. Besides tech, I enjoy landscape photography and share my work at ColoradoPhoto.gallery.

  • Subscribe

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 223 other followers

  • Sleepless Nights…

    February 2010
    S M T W T F S
  • Blog Stats

    • 1,033,667 hits

Be careful with yesterday’s post

Posted by David Chandler on February 23, 2010

Just in case you missed the comments on yesterday’s “Generic” Objectified ActionHandler, the example code potentially exposes your Datastore to hackers who can spoof or otherwise modify GWT-RPC requests. Be sure to read the comments, and if you’ve never seen Paros, TamperData (Firefox plug-in) or the like, you might want to check those out to see just how easy it is to modify Web requests in ways the developer did not intend. It’s not as easy to modify GWT-RPC because it’s a binary (serialized) protocol, but it’s not encrypted so it certainly is possible.

Bottom line: your server-side code should always check user permissions one way or another. SecureDispatchService (gwt-dispatch) will restrict access to ActionHandlers to only authenticated users, but depending on how many hackers you have in your user base and how private the data needs to be, you may need additional permission checking on each persistence-related action.

You have been warned.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: