GWT version: 2.5.1
Browser (with version): any
Operating System: Ubuntu/Windows

Description

Looking for a solution to authorize and secure GWT RPC API calls

Steps to reproduce

GWT RPC calls bypasses authentication mechanism and allows tampering of requests. The RPC call works even after cookie information is removed from browser

Known workarounds

https://www.gwtproject.org/articles/security_for_gwt_applications.html

Links to further discussions

https://www.gwtproject.org/articles/security_for_gwt_applications.html

https://www.digizol.com/2008/09/java-gwt-servlets-web-app-tutorial.html#gwt-servlet-5

Authentication and authorization has to be provided by the application you write. GWT-RPC server endpoint is implemented as a servlet and thus you could use a servlet filter to protect it from unauthenticated users. Authorization is usually implemented on the server in the GWT-RPC service methods implementation itself.

The RemoteServiceServlet also offers a few other lifecycle methods to even inspect the payload or the request/session/etc before deserializing, see onBeforeRequestDeserialized, as well as onAfterResponseSerialized and other overridable methods.

GWT RPC calls bypasses authentication mechanism and allows tampering of requests. The RPC call works even after cookie information is removed from browser
This isn't true, any more than any other payload can be tampered with by a malicious client. If the client controls the code (i.e. in their own browser), they can send anything they want - it is up to the server to validate the payload and the user's identity, plus any other business rules, before acting on that data.

Also please note that 2.5.1 is nearly 10 years old - we encourage updating to a newer version as possible (GWT 2.11 was released yesterday).

I'm going to close this for now, but this would be better to discuss on the mailing list, or if you want to chat live with other users, check us out on gitter.im.