requestfactory security problem

[July]

hello all:

  I'm using GWT 2.3 requestfactory+ GAE 1.5 user authentication for my app, it only allows authenticated people to access, implemented as below:

if the user has not login to Google, redirect him the Google login screen.

if yes, check if he has the right to access. if yes display the web UI to user. or display error screen.

My question is:

1. Do i have to check every gwtrequest to ensure the security? i mean, use a filter to check every gwtrequest to see if the user has the right to access. if so, the application is more secure but have to process much more extra payloads.

2. If i just use the login authentication but does not check every gwt requests after that, is there risk that un-authorized people may be able to access my app? Does requestfactory automatically have ways to protected this?

Thanks.

[Nuno Rosa]

RequestFactory accepts a parameter to define a UserInformation class, you should implement this class with your authentication mechanism.

If this parameter is available requestfactory will call the isUserLoggedIn method before processing the call.

Check RequestFactoryFactoryServlet implementation. http://code.google.com/p/google-web-toolkit/source/browse/trunk/user/src/com/google/gwt/requestfactory/server/RequestFactoryServlet.java

This is how we define the parameters on web.xml

<servlet>

  <servlet-name>requestFactoryServlet</servlet-name>

  <servlet-class>com.google.gwt.requestfactory.server.RequestFactoryServlet</servlet-class>

  <init-param> 

    <param-name>userInfoClass</param-name> 

    <param-value>com.example.server.UserInformationImpl</param-value> 

  <init-param> 

</servlet>

2011/8/17 July <gsu...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/h0Nx1ecMf2sJ.
To post to this group, send email to google-we...@googlegroups.com.
To unsubscribe from this group, send email to google-web-tool...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

[July]

Thanks for reply, but seem both links you provided can not be opened. i use GWT2.3 and seem no UserInformation defined?

[BST]

http://google-web-toolkit.googlecode.com/svn/javadoc/2.3/com/google/gwt/requestfactory/server/RequestFactoryServlet.html

Message in the above link

RequestFactory has moved to com.google.web.bindery.requestfactory. This package will be removed in a future version of GWT.

[Jens]

The UserInformation class is old. 

You have to write a ServletFilter that does the authentication for every request and you may also want a custom RequestTransport implementation for RequestFactory. Take a look at the mobilewebapp sample in GWT 2.4 release branch or trunk to see how you can implement it.

-- J.

[Mihail Lesikov]

Check this  topic - 

https://groups.google.com/forum/?pli=1#!searchin/google-web-toolkit/RequestFactory$20security|sort:date/google-web-toolkit/BBG4ivoedLM/BE6BTl8ikSEJ

" Have a look at how the Expenses sample uses Google AppEngine's UserService to authenticate users with RequestFactory: 

http://code.google.com/p/google-web-toolkit/source/browse/trunk/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/   "

[July]

very helpful, Thank you all for the help