No announcement yet.
  • Filter
  • Time
Clear All
new posts

    Smart GWT vs. Data Miners

    I'm new to this topic, looking for a quick yes/no re Smart GWT capabilities:

    I've inherited an ancient public-facing JSP app that is getting abused by data miners who submit direct HTTP Requests (bypassing the GUI) like
    GET /MyPublicApp/casedetail?casenum=123456&casesite=XY&casecode=Q
    And unfortunately the app's servlet responds, until it becomes unresponsive :)

    Thinking about moving the app into Smart GWT:
    - Does the framework preclude this type of direct HTTP Request (non-GUI) access?
    - By default? Or must this be configured/coded to guard against?
    - If yes, please point to docs.
    - Is there a way to lock down DataSource access to the GUI only? (Or is that already the default?)

    I've looked at the "Raw Request" format in the SmartClient Developer Console (RPC Tab). My understanding is that Smart GWT uses XHR request/response format. Could this also be used in an abusive manner that bypasses the GUI?

    Any guidance appreciated, thanks.

    The classic defense here is to send a random token with the main web page, and require that that token by included with data requests.

    Of course, this doesn't prevent a data miner from logging in, obtaining the token, and then data mining from there. Nothing can ultimately prevent that, except limiting the rate of data requests that are allowed.