SSL is only part of the solution since an attacker can still steal a session and send requests to attack your rpc services. Use XSRF token to ensure third parties can't send malicious requests to the rpc services handled by GWT.
The implementation is straightforward. http://www.gwtproject.org/doc/latest/DevGuideSecurityRpcXsrf.html