Security when using GWT RPC

Posted by gerdemb on Stack Overflow See other posts from Stack Overflow or by gerdemb
Published on 2010-05-21T19:19:20Z Indexed on 2010/05/21 19:40 UTC
Read the original article Hit count: 267

Filed under:

gwt

|

java

|

servlets

|

security

|

rpc

I have an POJO in Google Web Toolkit like this that I can retrieve from the server.

class Person implements Serializable {
  String name;
  Date creationDate;
}

When the client makes changes, I save it back to the server using the GWT RemoteServiceServlet like this:

rpcService.saveObject(myPerson,...)

The problem is that the user shouldn't be able to change the creationDate. Since the RPC method is really just a HTTP POST to the server, it would be possible to modify the creationDate by changing the POST request.

A simple solution would be to create a series of RPC functions like changeName(String newName), etc., but with a class with many fields would require many methods for each field, and would be inefficient to change many fields at once.

I like the simplicity of having a single POJO that I can use on both the server and GWT client, but need a way to do it securely. Any ideas?

© Stack Overflow or respective owner

Related posts about gwt

How to include an external jar in gwt client side?

as seen on Stack Overflow - Search for 'Stack Overflow'
I would like to use the org.apache.commons.validator.GenericValidator class in a view class of my GWT web app. I have read that I have to implicitely tell that I intend to use this external library. I thought adding the next line into my App.gwt.xml would work. <inherits name='org.apache.commons… >>> More
How to include an external jar in a GWT module?

as seen on Stack Overflow - Search for 'Stack Overflow'
I would like to use the org.apache.commons.validator.GenericValidator class in a view class of my GWT web app. I have read that I have to implicitely tell that I intend to use this external library. I thought adding the next line into my App.gwt.xml would work. <inherits name='org.apache.commons… >>> More
GWT Javascript Exception in Hosted Mode: Result of expression 'doc.getBoxObjectFor' [undefined] is

as seen on Stack Overflow - Search for 'Stack Overflow'
Anyone ever seen this exception? I'm running in hosted mode on GWT 1.6.4 on a mac. I'm using the AutoSuggest and it's throwing this exception trying to show the popup. It works fine in compiled mode, but obviously hosted mode is rather important. [ERROR] Uncaught exception escaped com.google.gwt… >>> More
error when I use GWT RPC

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello everyone... I have a problem with Eclipse when I use an RPC.. If I use a single method call it's all in the right direction but if I add a new method to handle the server I get the following error: com.google.gwt.core.client.JavaScriptException: (null): null at com.google.gwt.dev.shell… >>> More
GWT - occasional com.google.gwt.user.client.rpc.SerializationException

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello we are haunted by occasional occurences of exceptions such as: com.google.gwt.user.client.rpc.SerializationException: Type 'xxx' was not assignable to 'com.google.gwt.user.client.rpc.IsSerializable' and did not have a custom field serializer.For security purposes, this type will not be… >>> More

Related posts about java

Tomcat 6: Access Control Exception?

as seen on Server Fault - Search for 'Server Fault'
I'm trying to setup a tomcat6 server, and I'm trying to match another setup someone else established. However, my deployment (default Ubuntu install) uses a policy.d/ directory structure, and the established server just uses a catalina.policy file. I've tried setting every entry in policy.d to match… >>> More
Problem in creation MDB Queue connection at Jboss StartUp

as seen on Stack Overflow - Search for 'Stack Overflow'
I am not able to create a Queue connection in JBOSS4.2.3GA Version & Java1.5, as I am using MDB as per the below details. I am putting this MDB in a jar file(named utsJar.jar) and copied it in deploy folder of JBOSS, In the test env. this MDB works well but in another env. [ env settings and… >>> More
failing to establish connection between Postgres db and gwt

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I am using Postgres and gwt 2.0 for one of my applications. I am facing problem connecting to the database. When I try to connect it gives "ClassNotFoundException". Here is what I get when I try to connect to database: java.lang.ClassNotFoundException: org.postgresql.Driver at java.net… >>> More
failing to establish connection between postgre db and gwt

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, For i am using postgre and gwt 2.0 for one of my applications. I am facing problem connecting to the database. When i try to connect it gives "ClassNotFoundException". Here is what i get when i try to connect to database: java.lang.ClassNotFoundException: org.postgresql.Driver at java.net… >>> More
Migration and deployement problems JBoss 4.2.2.GA to JBoss 6.0.0.M2

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I'm trying to migrate an application running on JBoss 4.2.2.GA to JBoss 6.0.0.M2 I give you some log to explain my problem : boot.log : 2010-03-16 09:59:29,406 ERROR [org.jboss.system.server.profileservice.ProfileServiceBootstrap] (Thread-2) Failed to load profile: Summary of incomplete deployments… >>> More