Re: gwt authorization in uibinder
153 views
Skip to first unread message
Ümit Seren
Nov 6, 2012, 7:45:10 AM11/6/12
to google-we...@googlegroups.com
It's not going to work. How should the client have a notion of server side authorization definitions?
You will probably have to transmit the permissions to the client and deal with hiding/showing controls manually.
On Monday, November 5, 2012 8:43:04 PM UTC+1, csckid wrote:
You will probably have to transmit the permissions to the client and deal with hiding/showing controls manually.
But always make sure that you also protect/check your backend service calls.
On Monday, November 5, 2012 8:43:04 PM UTC+1, csckid wrote:
I want to apply security framework like apache shiro to my gwt project. I was wondering if I can apply shiro/(spring security) code to Uibinder?
Joseph Lust
Nov 6, 2012, 10:00:59 AM11/6/12
to google-we...@googlegroups.com
Like Ümit said, you can pass the authorizations provided by your Spring Security UserDetailsService to the frontend via an RPC or similar. Then you can decide in your presenters whether to show an element or not. If you want, you can store all your authorizations as an Enum and then you could customize your widgets with a "setRequiredAuthorization()" method, which could be passed in from UiBinder via <someTag requiredAuthorization="{FOO_AUTH}" />. However, ideally you'd keep your views (UiBinder) dumb and leave that authorization checking to a higher level.
Of course, the kicker here is to secure the backend calls. I suggest @Secured or @PreAuthorize annotations to secure your methods, which works out of the box with Spring Security.
Sincerely,
Joseph
Reply all
Reply to author
Forward
0 new messages