Securiring GWT-RPC calls?

[Slava Imeshev]

Are there best practices for securing RPC calls? In an app I'm working on some of the calls are OK to go through without authentication, and some do require authentication and authorization. Any thoughts / suggestions?

Slava

[lofid...@gmail.com]

I think, it depends on what kind of server-side technology do you use. 

I'm using normally REST APIs with Spring Boot and for that part I use Spring Security with OAuth2 / JWT token.

But the simplest one would be using Spring Boot and Spring Security like this example: https://spring.io/guides/gs/securing-web

Hope this helps!

[Slava Imeshev]

It’s Java + Tomcat + GWT service servlet.

--
You received this message because you are subscribed to a topic in the Google Groups "GWT Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-web-toolkit/f_QJldsQ-y0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-web-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/e154fd85-7841-4a74-ac36-e7461c71a498n%40googlegroups.com.

[lofid...@gmail.com]

(1) The easiest way would be just to implement an auth filter in your servlet. Just put everything behind the "authentication". Only the login HTML/JSP should be accessible without authentication.

https://www.codejava.net/java-ee/servlet/how-to-implement-authentication-filter-for-java-web-application

(2) Another way is to use Basic Auth of Tomcat

https://jelastic.com/blog/restrict-access-tomcat-web-application-hosting

http://www.avajava.com/tutorials/lessons/how-do-i-use-basic-authentication-with-tomcat.html

But if your webapp is getting complex I would prefer to use Spring Boot + Spring Security. Or maybe JavaEE + Security?