search

Havanero / gwt-syncproxy

Automatically exported from code.google.com/p/gwt-syncproxy
0 stars 0 forks source link

Blocked request without GWT permutation header (XSRF attack?) #39

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
Not entirely sure. I'm able to send an initial login request which returns 
successfully, but the second one throws the exception found at the bottom of 
this post

What is the expected output? What do you see instead?
onSuccess being called instead of onFailure of the second request

What version of the product are you using? On what operating system?
Android 4.4.3 SyncProxyAndroid-0.4.2

Please provide any additional information below.

SEVERE: Exception while dispatching incoming RPC call
java.lang.SecurityException: Blocked request without GWT permutation header 
(XSRF attack?)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.checkPermutationStrongName(RemoteServiceServlet.java:329)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:260)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:305)
        at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.jhi.gwt.germinate3.server.core.util.HeaderFilter.doFilter(HeaderFilter.java:40)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:744)

Original issue reported on code.google.com by S.Raub...@web.de on 24 Jun 2014 at 10:03

GoogleCodeExporter commented 8 years ago 
Check out the https://code.google.com/p/gwt-syncproxy/wiki/CommonIssues wiki. 
This typically happens with the requested compilation files are not present. In 
this case, if the second service call is not included in the GWT-compiled 
script (there are usualyl several generated) then it can cause this error in 
any given call, not necessarilly all of them. Assuming you just upgrade the 
Android library to 0.4.3, do a full clean, deleting all previous GWT-compiled 
files including the gwt-unitCache, and dynmica folders created in your war/ 
path. Then do a recompile and verify if the error still recurs.

Original comment by p.pr...@blueesoteric.com on 24 Jun 2014 at 1:35

GoogleCodeExporter commented 8 years ago 
Unfortunately I still get the same result. Deleted all auto generated folder, 
cleaned the project in Eclipse, deployed it again and installed the Android app 
again.

Original comment by S.Raub...@web.de on 25 Jun 2014 at 8:29

GoogleCodeExporter commented 8 years ago 
As part of the current work, I'm adding better logging and exception handling 
in some cases. However, since this error occurs server-side, it will be harder 
to get information. Can you provide a code sample (client and serverImpl) if 
this is still occurring?

Original comment by p.pr...@blueesoteric.com on 29 Dec 2014 at 2:58

GoogleCodeExporter commented 8 years ago 
The 0.5 update make some significant changes the RpcPolicyFinder code. The 
previous code may not have properly detected permutation names in the generated 
files where the 0.5 version expands on the search mechanisms. Try updating to 
0.5 and checking this again. I tried manually replicating this issue with 
two-login's but was unable to reproduce the error. Please try 0.5 and if it the 
error persists, get me a code sample to try and replicate with. Thanks

Original comment by p.pr...@blueesoteric.com on 15 Jan 2015 at 5:22

GoogleCodeExporter commented 8 years ago 
This issue was mapped over to the new GitHub 
Home(https://github.com/jcricket/gwt-syncproxy/issues/39), but is being closed 
at that location as well since there has been no additional information on this 
issue. If this issue persists, please open a new issue at the GitHub repo.

Original comment by p.pr...@blueesoteric.com on 30 Mar 2015 at 2:09