[rules-dev] Guvnor XSRF attack?

[Michael Anstis]

Anybody else see these errors in Guvnor (5.2.0.M1)?

ERROR 03-02 16:35:38,914 (LoggingHelper.java:error:70)      Blocked request
without GWT permutation header (XSRF attack?)
java.lang.SecurityException: Blocked request without GWT permutation header
(XSRF attack?)

GWT2.1 introduced support for preventing XSRF attacks; see
here<http://groups.google.com/group/google-web-toolkit/web/security-for-gwt-applications?pli=1>
.

I get these errors quite regularly (Firefox 3.6.13, Ubuntu 10.10) both in
hosted and web modes (Tomcat 6.0.30). I've looked through the GWT source and
(at least in hosted mode) the additional HTTP header to prevent these errors
are added as part of GWT's client-side serialisation before POSTing to our
RepositoryServiceServlet. I can't therefore explain why I therefore get
these errors. In my experience; once the error has occured and dismissed the
page\function\operation can be repeated without the error re-occuring (i.e.
view "Business rule assets" in the Tree Browser and it may fail the first
time; however works the next and the next... until the server is restarted,
when the cycle continues). The errors can be completely removed by
overriding GWT's
com.google.gwt.user.server.rpc.RemoteServiceServlet.checkPermutationStrongName
to not check the HTTP header and simply return; however this effectively
removes XSRF protection (although not implemented pre-GWT2.1 and hence not
in Guvnor <=5.1).

I put the email out so people are aware (we switched to GWT2.1 for 5.2.0.M1)
so our users may start to report the same error; in which case we should
perhaps be prepared for the quick fix...

With kind regards,

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-dev/attachments/20110203/1bd59ce7/attachment.html