I've just started porting my GWT-RPC code to the new RequestFactory mechanism.
In order to prevent cross-site request forgery (CSRF), my GWT-RPC code grabbed the session id that had been stored in a cookie, and included it in the payload of the request. Is that possible with RequestFactory?
I understand that there are four mandatory Locator methods, including findEntity(id_type id); so I'm thinking: oh dear: where do I put my session id?
Generally, you'll extend DefaultRequestTransport to add the token to the request (such as a custom header, but you could also add it to the request body) and pass it to the init of your RequestFactory. On the server-side, you'll either use a servlet filter or you'll extend RequestFactoryServlet to process the token before even processing the RequestFactory request. You're free to define your own "protocol" here: e.g. returning a 403 or 401 status (or whatever) and then process it in the RequestTransport to communicate the result to your app.