Good day!

For example, when a server requests a "... / get.php" address, it receives a set of data, let it be a certain array [1,2,3]. On the client, by pressing the buttons, this array changes, naturally within the framework of the algorithm in the handlers. And then when you click the Save button, the new array [4,5,6] is sent to the "... / set.php" HTTp POST request with parameters = new array or json'om.

Question: Is it possible to spoof the data in the HTTP POST request or json sent to the server? Those. Can a registered user send his "own" data (for example, array [10,13,1]) to "... / set.php" and how to protect against this?

RequestBuilder is used for requests in GWT.

String url = "http://xxx.xxx/get.php"; RequestBuilder builder = new RequestBuilder(RequestBuilder.GET, URL.encode(url)); try { Request request = builder.sendRequest(null, new RequestCallback() { public void onError(Request request, Throwable exception) { // Couldn't connect to server (could be timeout, SOP violation, etc.) } public void onResponseReceived(Request request, Response response) { if (Response.SC_OK == response.getStatusCode()) { // Парсим JSON и отображаем данные клиенту } }}} // Далее, после того как пользователь понажимал кнопки, // нужно отправить новый массив обратно в базу String url = "http://xxx.xxx/set.php"; RequestBuilder builder = new RequestBuilder(RequestBuilder.POST, url); builder.setHeader("Content-type", "application/x-www-form-urlencoded"); StringBuilder sb = new StringBuilder(); for ( String k: parmsRequest.keySet() ) { String vx = URL.encodeComponent( parmsRequest.get(k)); if ( sb.length() > 0 ) { sb.append("&"); } sb.append(k).append("=").append(vx); } try { Request response = builder.sendRequest( sb.toString(), new RequestCallback() { public void onError(Request request, Throwable exception) {} public void onResponseReceived(Request request, Response response) {} }); } catch (RequestException e) {}
  • Your question is not clear at all. If you need to change the data from the client to the server, then just use https . If you need, so that not all users can receive and save data, then enter the authentication and authorization system. Both cases do not concern the GWT itself. - Temka too
  • Yes, it is necessary that the data could be replaced by the same client, for example. Those. let's say we play poker. The server sent me five cards (2, 3, 5, 7, 8). I asked to replace 2 cards, for example 2,3. The server sent me 3, 9. Ie now I have 3, 5, 7, 8, 9. Naturally I don’t like it and I want to send my version to the server - 3,4,5,6,7. Those. The question is can I do this and how can I protect myself from it? If I understand correctly, https only encrypts data so that it is not intercepted along the way. But if the client is interested in the substitution, then how to escape from this? - eugen
  • As an option every time to check the server that he sent and with what came, but how much is it right? Do not hang this site? - eugen
  • Protect against this is impossible by definition. However, this situation should not arise. On the non-client side there should be no logic in which he can spoof the data and the server will accept them. As an example, in online games with high performance, the server sends out to all participants of the event, then according to these events each working machine builds the model of the next second. But the server also builds this model and only this model is trusted for it. - Temka also

0