Announcement

**Isomorphic** · 12 Feb 2016, 15:54

Please see the FAQ for the information you need to post in order to enable others to help you.

**nicemoorthy** · 17 Feb 2016, 14:49

Found the Issue...

We use DataSourceLoader to load all the ds xml from database.

DataSource.load(String[] result, new Function() {.....}); ---- This method create below URL in back-end for loading the dsxml which been blocked by Site Minder rule of cross site scripting. :(

<APP_BASE_URL>/sc/DataSourceLoader?dataSource=........List of DSXML ID's.....&isc_rpc=1&isc_v=v8.3p_2013-03-23&isc_xhr=1&isc_tnum=0&_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">0</transactionNum><operations xsi:type="xsd:List"><elem>__ISC_NULL__</elem></operations></transaction>&protocolVersion=1.0

Is there a way to make the call to be POST instead of GET or any other work around will help me

**Isomorphic** · 17 Feb 2016, 17:41

Whatever rule has been enabled in SiteMinder, it is broken, and should be either fixed or disabled.

**nicemoorthy** · 19 Feb 2016, 17:04

Works fine when XSS Site Minder rule disabled vice-versa.

**nicemoorthy** · 21 Feb 2016, 11:07

Is there any way I can make the DataSsourceLoader method to be POST instead of GET :)

**Isomorphic** · 21 Feb 2016, 11:16

You could use Feature Sponsorship to have this added to a future version. In the existing version, no. There is no setting for this, and it definitely cannot be considered a bug that DataSourceLoader uses GET.

Again, we would recommend fixing this at the SiteMinder level, since it is obviously a SiteMinder issue.

**grayner** · 28 Feb 2016, 18:08

Although you might be technically correct I am afraid that Siteminder has by far the largest market share in the SSO market among the fortune 500. They are unlikely to change this behavior because you guys don't want to provide a work around. This will just result in a reduced market for your product. Sort of biting off your nose to spit your face here. We have to manually change this is our SmartGWT generated code but it is a pain in the butt. I would expect many people just move on to another product during evaluations when they find this issue especially if you provide such a glib response to a valid business concern of a customer. If IE had a similar quirk you would provide a work around to generate different code. Not much different here given the prevalence of Siteminder in your target demographic.

**Isomorphic** · 28 Feb 2016, 20:21

That wasn't a glib response, it's the result of having worked withSiteMinder many times and at many institutions over the last 18 years or so.

SiteMinder was originally designed to protect sites with basic interactivity passing simple data around. When you apply it to a general purpose data protocol like Isomorphic's servlets, it's going to flag a lot of random things. If you try to work around the common cases, it will still be tripped up by certain combinations of data, and then you've got intermittent data loss in production.

The correct and only solution is to turn off SiteMinder's protections for Isomorphic servlets. It's not providing any kind of protection there in any case. You can leave it on for other parts of the site and for other sites of course.

Next time you perceive one our responses as "glib" please reconsider.

Announcement

SmartGWT + SiteMinder

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment