I have a servlet that sends emails when a form is submitted, and it works fine. This is done calling from client-side the
sendMail() that is implemented on sendMailServiceImpl.
My question is about security: is there a way that someone put a specific URL and those emails are sent? Something like
<servlet> <servlet-name>sendMailServiceImpl</servlet-name> <servlet-class>com.gw.myproject.server.SendMailServiceImpl</servlet-class> </servlet> <servlet-mapping> <servlet-name>sendMailServiceImpl</servlet-name> <url-pattern>/myproject/sendMail</url-pattern> </servlet-mapping>
GWT-RPC uses a POST-request. The Servlet will not listen to GET. There are some mechanism included, that will require some knowlege about the request (strongname and serialization policy) and the protocol itself.
But if someone captures a request, he also can send a request.
The request is secured against XSS because of the same-origin-policy. But this will not help against requests from plain java or python or browser which are startet with
Fore some more details: GWT RPC data format