Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    XSRF token putting in Http Header rather actionURL

    Per suggestion from forum <http://forums.smartclient.com/showthread.php?t=22484> and <http://www.gwtproject.org/doc/latest/DevGuideSecurityRpcXsrf.html>

    We can generate XSRF token based on Session ID and append as parameter in RPC Action URL (e.g. RPCManager.setActionURL(...)).

    But we want to check if we want to put the XSRF token to Http Header instead actionURL, how can I do in SmartGWT client side and server side?

    Per comment from security team in my company, Http Header is more secure than putting in ActionURL.

    Supplement that actionUrl is already good as we can set one and include in all DMI call, so if for this case can we have some API that is similar but set the HttpHeader instead of parameter in URL
    Last edited by wing.t.lee; 29 Jan 2015, 19:28.

    #2
    You can use DataSource.addRequestTransformer() to add HttpHeaders via dsRequest.setHttpHeaders() on all DataSource requests, and this will be transparent to the components that use the DataSources.

    There is no similar ability to intercept non-DataSource requests - you would have to add HTTP headers via the "requestProperties" argument, which is pervasively available in all such APIs, for example, RPCManager.exportContent().

    If you are interested in an enhancement to add a system-level override that allows all requests to be intercepted in a manner similar to DataSource.addRequestTransformer() except applicable to RPCDMI, BuiltinRPCs and all other non-DataSource requests, that could be accomplished via a Feature Sponsorship.

    Comment


      #3
      If I want to add a header {"Authorization", "Bearer " + token} when I send every request by the following dataSource. How should I use the setHttpHeaders()?


      isc.DataSource.create({
      id:"tagDataSource",
      dataFormat:"json",
      dataURL: url_show_tag_data,
      fields:[
      {name:"AAA"},
      {name:"BBB"},
      {name:"CCC"},
      ],
      allowCrossDomainCalls: true,
      });


      Many Thanks!! :)

      Comment


        #4
        You're in SmartClient, so you just provide httpHeaders as an Object anywhere that you can pass requestProperties.

        Also there is now an RPCManager.transformRequest() API - the possible sponsorship alluded to above was implemented.

        https://www.smartclient.com/smartcli...ansformRequest

        Comment


          #5
          Thanks for your reply, but I am still a bit confused about how to pass the requestProperties. Is there any example showing how we can pass requestProperties or use .transformRequest()?


          function headerToken(token)
          {
          "Authorization", "Bearer " + token
          };


          isc.DataSource.create({
          id:"tagDataSource",
          dataFormat:"json",
          dataURL: url_show_tag_data,
          fields:[
          {name:"AAA"},
          {name:"BBB"},
          {name:"CCC"}
          ],
          requestProperties:[headerToken(token)],
          allowCrossDomainCalls: true,
          });

          Thank you!!

          Comment


            #6
            If you follow the link above you'll find that the SmartClient reference covers all of this (try in particular using search for "requestProperties" which will show you many options for how you could set them), but if you need further help, take a look at our training courses and other offerings here:

            https://www.smartclient.com/services/

            Comment

            Working...
            X