> But this method has the following weak points:
>
> * Some developer may forget to call the checkSession method.
>
> So any of you have any better ideas?
You can overwrite
public String processCall(String payload) throws SerializationException
and do the following:
RPCRequest rpcRequest = RPC.decodeRequest(payload, this.getClass(), this);
if (!rpcRequest.getMethod().getName().equals("login")){
if (!validSession()){
return RPC.encodeResponseForFailure(null, new InvalidSessionException());
}
}
return super.processCall(payload);
So all methods except the login-method will lead to the check
of a valid session. If there is none, a special exception is
thrown, otherwise the standard-way is performed.
> * There is code duplication in the onFailure implementation (Every
> onFailure shud handle the authentication exception)
Implement an AsyncCallback that checks the exception in onFailure
to be InvalidSessionException and react accordingly. Use this
implementation instead of the interface for creating your inner
classes when calling RPCs.
Regards, Lothar
> Yes there is a war sample and the project that generate that war
> (net.orcades.spring-gwt-sample).
> All is provided in the checkout.
> It's maven driven.
This sample doesn't appear to work correctly 'out of the box'.
I did a 'source:jar install' on the 3 components, and then tried to
run the gwt-sample app:
pookey@fork:~/net-orcades-spring-read-only/orcades-spring-gwt-sample$
mvn gwt:gwt
URL: http://localhost:8888/springsample.SampleModule/SampleModule.html
"Cannot find resource 'SampleModule.html' in the public path of module
'springsample.SampleModule' "
Regards,
Ian
Sorry, perhaps this would have been more useful:
[INFO] establishing classpath list (buildClaspathList - scope = COMPILE)
[INFO] google.webtoolkit.home (gwtHome) set, using it for GWT
dependencies - /home/pookey/src/gwt-linux-1.5.3
Loading module 'springsample.SampleModule'
Loading inherited module 'com.allen_sauer.gwt.log.gwt-log-INFO'
[ERROR] Unable to find
'com/allen_sauer/gwt/log/gwt-log-INFO.gwt.xml' on your classpath;
could be a typo, or maybe you forgot to include a classpath entry for
source?
[ERROR] Line 9: Unexpected exception while processing element 'inherits'
com.google.gwt.core.ext.UnableToCompleteException: (see previous log entries)
Ohh... opps... I think this is the problem. I forgot that because
2.5.2 wasnt' available, I downgraded it to 2.5.0.....
sorry for the noise ;)
See below, please.
On Wed, Nov 19, 2008 at 2:29 PM, walden <wmat...@aladdincapital.com> wrote:
>
> Olivier,
>
> I'm still a little perplexed, see below.
>
>> >> * session expiration, because the GWT RPC will fail soon (401).
>> >> * forbiden because the GWT RPC will fail soon (403).
>>
>> When session is expired, the RPC will fail soon with a 401 (Auth
>> required status), before GWT 1.5 it was not (easily ) possible to
>> detect such failure. But session expiration is not an issue for HTTP
>> basic.>> * activation of widget when authority is granted.
>
> Originally, I thought your points were against HTTP auth, but now it
> looks like they were for it?
>
I'm not talking of HTTP Basic Scheme where AFAIK there is no
expiration. I'm talking of Session Base mecanism like Acegi or Form
Based authentication.
What I was (trying) to explain is that when relying on a previous
authentication, then the GWT application is in fact unaware of being
under a restricted access. That might be a good (as it simple). But
when an error (security errors Auth Required (401) when session has
expired , a forbidden access (403)) occurs on a GWT-RPC call the GWT
application has to handle this error (much simpler under GWT >= 1.5).
So the GWT application has to handle some security concern (Auth
required && Forbidden).
>
>>
>> About widget activation && authorization, I my proposal the widget are
>> aware of the authentication events so they can activate/desactivate
>> when login/logout occurs.
>
> This doesn't come up for me. I secure my site in such a way that you
> don't get any widgets until you're authenticated and authorized. I
> thought you were referring to a more fine grained authorization scheme
> where certain widgets appear only for certain users.
I do ! Some GWT element may be notified for the authentication event
(granted authorities) and then they can do what they want ...
>That sort of
> entitlement management goes beyond authorization, and the point I was
> making was that it seems somewhat orthogonal to what protocol you use
> for auth.
Definitively !
>
> Walden
Regards
Olivier.