GWT& XSRF保护 [英] GWT & XSRF Protection

问题描述

如果我了解 GWT的解决方案正确 - 它提供了一个Servlet，用于在客户端生成令牌（当调用RPC端点时）并在服务器端进行验证（当调用命中您的服务时）。

此解决方案是否仅适用于RPC调用？当然，我们需要它来覆盖所有用户生成的服务器请求？

任何其他推荐的XSRF解决方案（我也正在寻找 OWASP的CSRFGuard ）？

解决方案

我修改了GWT示例应用程序以防止XSRF受到保护。该解决方案大致基于GWT开发人员文档中提供的解决方案。 http://code.google.com/p/xsrf-safe/

I'm looking at possible solutions to protect my GWT app against XSRF.

If I understand GWT's solution correctly - it makes available a Servlet which you use to both generate the token on the client-side (when calling your RPC endpoint) and to validate on the server-side (when the call hits your service).

Does this solution only cater for RPC calls? Surely we need it to cover all user generated requests to the server?

Any other recommended XSRF solutions (I'm also looking at OWASP's CSRFGuard)?

解决方案

I modified the GWT Sample App to be protected against XSRF. This solution is roughly based of the solution provided in the GWT developer docs. http://code.google.com/p/xsrf-safe/

这篇关于GWT& XSRF保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！