In response to Tihomir reporting this issue on #guvnor and further poking by zenix I logged the following headers:-<br><br>===> Fail<br><a href="http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService">http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService</a>
<br> <br>POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1
<br>Host: <a href="http://127.0.0.1:8888">127.0.0.1:8888</a>
<br>User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15
<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
<br>Accept-Language: en-gb,en;q=0.5
<br>Accept-Encoding: gzip,deflate
<br>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
<br>Keep-Alive: 115
<br>Connection: keep-alive
<br>Content-Length: 154
<br>Content-Type: text/x-gwt-rpc; charset=utf-8
<br>Referer: <a href="http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesvr=127.0.0.1:9997">http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesvr=127.0.0.1:9997</a>
<br>Cookie: standalone_usage=true
<br>Pragma: no-cache
<br>Cache-Control: no-cache
<br>7|0|4|<a href="http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|6808FDC8A4FA3491026441B59E4DB72A|org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|">http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|6808FDC8A4FA3491026441B59E4DB72A|org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|</a>
<br>HTTP/1.1 400 Bad Request
<br>Content-Type: text/plain;charset=ISO-8859-1
<br>Transfer-Encoding: chunked
<br>Date: Wed, 23 Mar 2011 20:11:04 GMT
<br>Server: Apache-Coyote/1.1
<br>Connection: close
<br><br><br><br>===> Success<br><a href="http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService">http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService</a>
<br> <br>POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1
<br>Host: <a href="http://127.0.0.1:8888">127.0.0.1:8888</a>
<br>User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15
<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
<br>Accept-Language: en-gb,en;q=0.5
<br>Accept-Encoding: gzip,deflate
<br>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
<br>Keep-Alive: 115
<br>Connection: keep-alive
<br><b>X-GWT-Permutation: HostedMode
<br>X-GWT-Module-Base: <a href="http://127.0.0.1:8888/org.drools.guvnor.Guvnor/">http://127.0.0.1:8888/org.drools.guvnor.Guvnor/</a>
<br></b>Content-Type: text/x-gwt-rpc; charset=utf-8
<br>Referer: <a href="http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesvr=127.0.0.1:9997">http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesvr=127.0.0.1:9997</a>
<br>Content-Length: 154
<br>Cookie: standalone_usage=true
<br>Pragma: no-cache
<br>Cache-Control: no-cache
<br>7|0|4|<a href="http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|41FA1D8B82DBBBC875605A4A29670D99|org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|">http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|41FA1D8B82DBBBC875605A4A29670D99|org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|</a>
<br>HTTP/1.1 200 OK
<br>Content-Disposition: attachment
<br>Content-Type: application/json;charset=utf-8
<br>Content-Length: 48
<br>Date: Wed, 23 Mar 2011 20:15:38 GMT
<br>Server: Apache-Coyote/1.1
<br><br><br>So, the required GWT "X-GWT-Permutation" header is definately missing.<br><br>I've posted a question to the GWT forums to see if its a known issue.<br><br>Has anybody experienced this in "Web" mode?<br>
<br>Cheers,<br><br>Mike <br><br><div class="gmail_quote">On 3 February 2011 16:52, Michael Anstis <span dir="ltr"><<a href="mailto:michael.anstis@gmail.com">michael.anstis@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Anybody else see these errors in Guvnor (5.2.0.M1)?<br><br><span style="font-family: courier new,monospace;">ERROR 03-02 16:35:38,914 (LoggingHelper.java:error:70) Blocked request without GWT permutation header (XSRF attack?)</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">java.lang.SecurityException: Blocked request without GWT permutation header (XSRF attack?)</span><br style="font-family: courier new,monospace;"><br>GWT2.1 introduced support for preventing XSRF attacks; see <a href="http://groups.google.com/group/google-web-toolkit/web/security-for-gwt-applications?pli=1" target="_blank">here</a>.<br>
<br>I get these errors quite regularly (Firefox 3.6.13, Ubuntu 10.10) both in hosted and web modes (Tomcat 6.0.30). I've looked through the GWT source and (at least in hosted mode) the additional HTTP header to prevent these errors are added as part of GWT's client-side serialisation before POSTing to our RepositoryServiceServlet. I can't therefore explain why I therefore get these errors. In my experience; once the error has occured and dismissed the page\function\operation can be repeated without the error re-occuring (i.e. view "Business rule assets" in the Tree Browser and it may fail the first time; however works the next and the next... until the server is restarted, when the cycle continues). The errors can be completely removed by overriding GWT's com.google.gwt.user.server.rpc.RemoteServiceServlet.checkPermutationStrongName to not check the HTTP header and simply return; however this effectively removes XSRF protection (although not implemented pre-GWT2.1 and hence not in Guvnor <=5.1).<br>
<br>I put the email out so people are aware (we switched to GWT2.1 for 5.2.0.M1) so our users may start to report the same error; in which case we should perhaps be prepared for the quick fix...<br><br>With kind regards,<br>
<br>Mike<br>
</blockquote></div><br>