search

tomasbilek / gwteventservice

Automatically exported from code.google.com/p/gwteventservice
Other
0 stars 0 forks source link

Blocked request without GWT permutation header (XSRF attack?) #30

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
since GWT 2.1
@see 
com.google.gwt.user.server.rpc.RemoteServiceServlet#checkPermutationStrongName()

the method checkPermutationStrongName() throws a SecurityException
...
    if (getPermutationStrongName() == null) {
      throw new SecurityException(
          "Blocked request without GWT permutation header (XSRF attack?)");
    }
...
then it's possible to override checkPermutationStrongName() 
in de.novanic.eventservice.service.EventServiceImpl class

@Override
protected void checkPermutationStrongName() throws SecurityException {
    return;
}

to avoid SecurityException

Tanks in advantage and best regards

Original issue reported on code.google.com by vlui...@tiscali.it on 17 Nov 2010 at 12:48

GoogleCodeExporter commented 8 years ago 
also for de.novanic.eventservice.service.RemoteEventServiceServlet,
in effect de.novanic.eventservice.service.EventServiceImpl and 
de.novanic.eventservice.service.RemoteEventServiceServlet are derived from 
com.google.gwt.user.server.rpc.RemoteServiceServlet,
in my project this update work very fine.

Tanks a lot

Original comment by vlui...@tiscali.it on 18 Nov 2010 at 8:29

GoogleCodeExporter commented 8 years ago 
Hi,

when does the SecurityException occur? The demo applications doesn't seem to 
throw this exception when GWT 2.1 is configured.

Original comment by sven.strohschein@googlemail.com on 19 Nov 2010 at 8:17

GoogleCodeExporter commented 8 years ago 
We have the same issue in our application. For some reason, this 
SecurityException is raised randomly since GWT 2.1 upgrade. We don't have 
change anything in our code between the upgrade. Looks like, the header 
X-GWT-PERMUTATION is not always added by the RPC client proxy ... 
The checkPermutationStrongName() override fixes the issue. Sven, is it possible 
to add this fix (or configure a parameter) in the classes implemented by 
RemoteServiceServlet in the trunk ?

Sami

Original comment by sami.ja...@gmail.com on 15 Dec 2010 at 9:20

GoogleCodeExporter commented 8 years ago 
Hi, Sami
Thanks for the excellent work and for your kind attention.
regards Vittorio

Original comment by vlui...@tiscali.it on 15 Dec 2010 at 10:14

GoogleCodeExporter commented 8 years ago 
I am using GWT 2.1 version and I am facing this issue contrary to what the 
other users facing this issue randomly. What is the fix or work around for this 
problem?

Original comment by baldwasa...@gmail.com on 10 Jan 2011 at 12:46

GoogleCodeExporter commented 8 years ago 
Hi baldwasagar,
temporarily you can fix this issue using the method previously explained:

@Override
protected void checkPermutationStrongName() throws SecurityException {
    return;
}

in all classes implemented by RemoteServiceServlet, 
de.novanic.eventservice.service.EventServiceImpl and 
de.novanic.eventservice.service.RemoteEventServiceServlet and so on,
to avoid SecurityException

I'm also waiting for the final fix.

Regards Vittorio

Original comment by vlui...@tiscali.it on 11 Jan 2011 at 8:53

GoogleCodeExporter commented 8 years ago 
I never saw this exception, but it should now be fixed in the trunk version 
(1.2).

Original comment by sven.strohschein@googlemail.com on 16 Jan 2011 at 3:13

GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
The header X-GWT-PERMUTATION is not always added by the RPC client proxy.I 
don't know why.

Original comment by java...@gmail.com on 14 Mar 2011 at 3:09

GoogleCodeExporter commented 8 years ago 
It seams that this issue is marked as fixed... But can someone tell us why is 
ok to override this method ? And why is the header missing from some clients ?

Original comment by TestAndr...@gmail.com on 15 Apr 2011 at 11:47

GoogleCodeExporter commented 8 years ago 
I'm not sure but I think it is due to concurrent access within the browser 
cache, when it fails then the header X-GWT-PERMUTATION is not added by the RPC 
client proxy, this happens only usign many tabs within the same browser and 
heach tab has open a conversation with the same service.

Regards

Original comment by vlui...@tiscali.it on 15 Apr 2011 at 2:19

GoogleCodeExporter commented 8 years ago 
I am seeing this issue in GWT 1.7.0 as well, so the work-around is not 
available. I would like to hear about how one might fix this with earlier 
versions of GWT.

Original comment by paulsuma...@gmail.com on 21 Apr 2011 at 9:35

GoogleCodeExporter commented 8 years ago 
Never got this before (GWT 2.0.3 and before), but have it randomly since GWT 
2.3.

Original comment by sylvain....@gmail.com on 13 Jul 2011 at 10:07

GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
this should work better -

// temp fix for header X-GWT-PERMUTATION is not added randomly by the RPC
// client proxy
@Override
protected void checkPermutationStrongName() throws SecurityException {
    // Content-Type text/x-gwt-rpc; charset=utf-8
    // X-GWT-Permutation F1AEC601C5D8E4490E7096AB58EB
    HttpServletRequest req = this.getThreadLocalRequest();
    if (!req.getContentType().contains("text/x-gwt-rpc")) {
        super.checkPermutationStrongName();
    }
}

Original comment by pollk...@gmail.com on 16 Jul 2011 at 6:10

GoogleCodeExporter commented 8 years ago 
The randomly missing X-*-Headers are a (not yet confirmed) firefox issue. See 
the following links for more infos:
https://bugzilla.mozilla.org/show_bug.cgi?id=646378
http://stackoverflow.com/questions/5429961/gwt-xsrf-sporadic-missing-x-gwt-permu
tation-header

Original comment by m...@censhare.de on 22 Sep 2011 at 1:26