How to handle security restrictions using the GWT 2.1 RequestFactory?

Question

How to handle security restrictions using the GWT 2.1 RequestFactory?

I am currently developing a GWT 2.1 application to be deployed to the Google App Engine. I would like to communicate with the server using the new RequestFactory.

My question now is how to handle small-scale security issues in this context? Some server actions (from those declared in RequestContext stubs) should be limited to specific users (possibly depending on the parameters of the remote call). If the call is unauthorized, I would like the client to show the login page (so that you can log in as another user, for example).

From the Expenses example, I know how to implement automatic redirection to the login page, but in this example the security model is quite simple: the client is allowed access to servlets if and only if the user is registered.

Can I create a custom UnAuthorizedException in my server service? Where should I catch this exception? (Can I do this in a servlet filter, for example, in the GaeAuthFilter of Expenses example?)

+3

security authentication google-app-engine servlets gwt

Marc Dec 29 '10 at 19:47

source share

1 answer

George Armhold · Accepted Answer · 2011-03-03T16:49:28+0000

. (, ), .

public class MyRequestFactoryServlet extends RequestFactoryServlet
{
    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException
    {
        if (! userIsLoggedIn(req))
        {
            throw new ServletException("not logged in");
        }
        else
        {
            super.doPost(req, res);
        }
    }

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException
    {
        if (! userIsLoggedIn(req))
        {
            throw new ServletException("not logged in");
        }
        else
        {
            super.doGet(req, res);
        }
    }

    protected boolean userIsLoggedIn(HttpServletRequest req)
    {
        // insert your custom code here for checking session for valid login token
        User user = (User) req.getSession().getAttribute("LOGGED_IN_USER");
        return user != null && user.isEnabled();
    }

MyRequestFactoryServlet web.xml RequestFactoryServlet.

, GWT RPC; , /. , , URL- .

How to handle security restrictions using the GWT 2.1 RequestFactory?

More articles: