It's been a long time coming, but we've at last updated DWR to a version 2.0 release candidate 1 status.
For the impatient:
There is a full run-down on the changes in the new and noteworthy documentation, however to whet your appetite:
DWR supports 3 ways to asynchronously transfer messages from the server to the browser: Comet (long-lived HTTP connections), Polling and Piggyback. Of these Comet and Polling are active (fast but require extra network traffic) and Piggyback is passive (slower but doesn't need extra network traffic). DWR automatically selects the best method transparently to the programmer.
Two of the the biggest generic dangers to ajax applications today are Cross-Site Scripting (XSS), which most people are aware of, and the new tool in the hack-box: Cross-Site Request Forgery (CSRF). DWR helps you protect your site against these attacks by providing automatic protection against CSRF attacks for many configurations, and by defaulting to a mode where XSS attacks are reduced.
Check back here soon for more on CSRF and how to protect yourself against it.
Update: Jurgen Van Oosterwijck has blogged with more details about Reverse Ajax.