Blocked request without GWT permutation header (XSRF attack)?

[GoogleCodeExporter]

basic testing of GWT 2.0.3 w/ syncProxy 0.1.3, got:

java.lang.SecurityException: Blocked request without GWT permutation header 
(XSRF attack?)
    at 
com.google.gwt.rpc.server.RpcServlet.getClientOracle(RpcServlet.java:73)
    at 
com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:177)
    at 
com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractR
emoteServiceServlet.java:62)

Original issue reported on code.google.com by binarymo...@gmail.com on 6 Apr 2010 at 9:16

[GoogleCodeExporter]

And to clarify, this is remoting to a different, fully-functional application 
location, not hosted mode.

Original comment by binarymo...@gmail.com on 6 Apr 2010 at 9:22

[GoogleCodeExporter]

paraphrase from blog - I was testing with the deRPC mechanism, and this is not 
presently supported.

Going back to traditional GWT-RPC things are working as expected.

Original comment by binarymo...@gmail.com on 21 Apr 2010 at 9:37

[GoogleCodeExporter]

Got the same problem trying to make a RPC call within a gadget using GWT 
2.1.0M1. Using GWT 2.0.4 works fine.

Original comment by temp.dan...@gmail.com on 24 Aug 2010 at 4:39

[GoogleCodeExporter]

for GWT 2.1 just override in the RemoteServiceServlet
    @Override
    protected void checkPermutationStrongName() throws SecurityException {
        return;
    }
alternatively sending a strongname header with the post request, there is no 
easy way to do right now.

Original comment by nse...@gmail.com on 28 Oct 2010 at 2:36

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Fixed in version 0.2.

To make it works, make sure *.gwt.rpc files (generated by GWT) are in the 
client classpath. SyncProxy will search these files for the correct strongname.

Original comment by gwtdevel...@gmail.com on 13 Nov 2010 at 7:48

• Changed state: Fixed

[GoogleCodeExporter]

Hello

It doesn't work for me with the last downloaded package ...
What do u mean with "make sure *.gwt.rpc files (generated by GWT) are in the 
client classpath" ?

Thank's a lot for any help

Original comment by cgasn...@gmail.com on 19 Nov 2010 at 4:44

[GoogleCodeExporter]

When using RemoteService, GWT (actually the class 
com.google.gwt.user.rebind.rpc.ServiceInterfaceProxyGenerator) generates 
<strongname>.gwt.rpc files. These files define a white-list of classes can be 
instantiated and serialized/deserialized for your RemoteService.

As mentioned in comment #4, the RemoteServiceServlet class uses these files to 
validate the request from GWT client.

To allow SyncProxy (a GWT client) build the correct request, SyncProxy need 
these files too. In case SyncProxy can not find these files, it send 'null' 
strongname in the reques which cause exception in RemoteServiceServlet. See 
com.gdevelop.gwt.syncrpc.SyncProxy#searchPolicyFile method for details.

"make sure *.gwt.rpc files (generated by GWT) are in the client classpath": 
Make sure these files can be found and loaded by SyncProxy. SyncProxy search 
these files in the classpath only. Again see 
com.gdevelop.gwt.syncrpc.SyncProxy#searchPolicyFile method for details.

Hope this help.

Original comment by gwtdevel...@gmail.com on 20 Nov 2010 at 10:29

[GoogleCodeExporter]

The line building the POLICY_MAP doesn't seem to have the right check in it if 
you're using the direct-eval RPC mechanism. Is direct eval supported?

Original comment by daniel.white on 25 Nov 2010 at 4:14