Simply put when the user tries to access the GWT site and does not
have an authenticated session their browser is redirected to secured
sign on page (possibly on a different server). Once the user
authenticates with that page they are redirected back to the original
url ( this was embedded in the url on the first redirect) with a
ticket. this ticket is then verified by the GWT site with the
authentication site and if it is still valid they are allowed access
to the GWT site.
This strategy is similar to Kerberos ticket granting with third party
validation.
The above works great for the first time access to the GWT
app....However all RPC calls are similarily authenticated. Once say
the session with the GWT app expires and the next RPC call happens it
is redirected to the sign on page and causes a security exception. In
firefox this results in an internal SecurityException: Content ... may
not load data from ... and on IE the user is prompted and if they
accept the redirected page's output could be displayed ( different
from the browser being redirected). However neither one is able to
handle a redirect request back to the browser.
Ideally I would like the asycn http request redirect to result in a
new browser window that redirects to the authentication web site. Then
the user authenticates and is redirected back to the GWT site with the
ticket and this would enable the GWT site to validate the ticket and
establish a new session with the user.
How can this be done? Has anyone done something similar ? This is
similar to how Google Auth works as well and so I hope there is
someone who has thought through this redirect to auth page redirect on
rpc async call stuff.