Is a GWT app running on Google App Engine protected from CSRF

Posted by gerdemb on Stack Overflow See other posts from Stack Overflow or by gerdemb
Published on 2010-06-05T16:31:25Z Indexed on 2010/06/05 16:32 UTC
Read the original article Hit count: 300

Filed under:
|
|
|
|

I'm developing a GWT app running on the Google App Engine and wondering if I need to worry about Cross-site request forgery or is that automatically taken care of for me?

For every RPC request that requires authentication, I have the following code:

public class BookServiceImpl extends RemoteServiceServlet implements
BookService {
    public void deleteInventory(Key<Inventory> inventoryKey) throws NotLoggedInException,  InvalidStateException, NotFoundException {
        DAO dao = new DAO();
            // This will throw NotLoggedInException if user is not logged in
        User user = dao.getCurrentUser();
            // Do deletion here
    }
}

public final class DAO extends DAOBase {
    public User getCurrentUser() throws NotLoggedInException {
            currentUser = UserServiceFactory.getUserService().getCurrentUser();
            if(currentUser == null) {
                throw new NotLoggedInException();
            }
        return currentUser;
    }

I couldn't find any documentation on how the UserService checks authentication. Is it enough to rely on the code above or do I need to to more? I'm a beginner at this, but from what I understand to avoid CSRF attacks some of the strategies are:

  1. adding an authentication token in the request payload instead of just checking a cookie
  2. checking the HTTP Referer header

I can see that I have cookies set from Google with what look like SID values, but I can't tell from the serialized Java objects in the payloads if tokens are being passed or not. I also don't know if the Referer header is being used or not.

So, am I worrying about a non-issue? If not, what is the best strategy here? This is a common enough problem, that there must be standard solutions out there...

© Stack Overflow or respective owner

Related posts about java

Related posts about security