Request Factory Security

[EMan]

there have been several posts on RequestFactory security, but I am still not clear.  the sample code here:

http://code.google.com/p/google-web-toolkit/source/browse/trunk/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/#gaerequest 

uses a filter to determine if a user can access the RequestFactory service.  But what happens once a user authenticates?  does he have access to all back end request?

ie, if I have a findById method and a findAll (for my admin users) method in my locator, could a user authenticate, then post to either and receive all the data in my table?  How do we authenticate individual types of request?

Thanks.

[Thomas Broyer]

On Wednesday, December 21, 2011 3:18:25 PM UTC+1, EMan wrote:

there have been several posts on RequestFactory security, but I am still not clear.  the sample code here:

http://code.google.com/p/google-web-toolkit/source/browse/trunk/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/#gaerequest 

uses a filter to determine if a user can access the RequestFactory service.  But what happens once a user authenticates?  does he have access to all back end request?

Yes.

 

ie, if I have a findById method and a findAll (for my admin users) method in my locator, could a user authenticate, then post to either and receive all the data in my table?

Yes.

 

How do we authenticate individual types of request?

Either do it at the start of each method (use RequestFactoryServlet.getThreadLocalRequest().getUserPrincipal() to get the current user).

Or create a ServiceLayerDecorator and override the invoke(Method,Object...) method to add the check (probably based on some annotation on the method).

I believe you could also use "standard AOP" (Spring AOP or Guice AOP, probably also AspectJ or similar) on your services.

We use the second approach, it works very well.

[Alfredo Quiroga-Villamil]

I find Spring Security to be a viable and simple solution to use while giving you a range of possibilities for both Authentication and Authorization. You get exactly that "method to add the check (probably based on some annotation on the method)."  as one of the options.

See:

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html

2.4 Method Security

Under the hood I believe it gets implemented using AOP as Thomas pointed out. Just in this case you are not implementing it yourself and if tomorrow you decide to support multiple authentication mechanisms, etc ... you just add them. The framework is extremely flexible.

Regards,

Alfredo

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/2lD-kfluWgcJ.
To post to this group, send email to google-we...@googlegroups.com.
To unsubscribe from this group, send email to google-web-tool...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

--
Alfredo Quiroga-Villamil

AOL/Yahoo/Gmail/MSN IM:  lawwton

[Clive Cadogan]

i want to check this code but the link is broken

[Thomas Broyer]

Code has moved to gwt.googlesource.com, and the "expenses" sample has been retired since then.

You can find the code at https://gwt.googlesource.com/gwt/+/2.4.0/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/#gaerequest (that was the version of the sample that shipped in GWT 2.4.0)