Help with openid spring security and GWT
69 views
Skip to first unread message
giannisdag
Jul 14, 2010, 5:04:43 PM7/14/10
to Google Web Toolkit
Hi I am using spring security, and I would like to enable and openid
login and MVP. I am using spring security at the method level access,
not at the page level. Simply, when the user requests an action that
it is not allowed, he is redirected to the login view, where he gets
two form logins, one with site checking which is done, and one with
openid. Spring security is used to catch the method access denial. As
I read, generally openid works like this:
the user is redirected to an openid provider, logins, and then is
redirected back to the url page. This is done automatically with
spring security, but with GWT it needs a new approach, implementing
both spring security and GWT. Does anybody has a demo code?
Also I found an interesting solution GWT + Openid without spring
security.
http://armelnene.blogspot.com/2009/12/dummies-guide-to-gwt-and-openid-with.html
What do you think?
login and MVP. I am using spring security at the method level access,
not at the page level. Simply, when the user requests an action that
it is not allowed, he is redirected to the login view, where he gets
two form logins, one with site checking which is done, and one with
openid. Spring security is used to catch the method access denial. As
I read, generally openid works like this:
the user is redirected to an openid provider, logins, and then is
redirected back to the url page. This is done automatically with
spring security, but with GWT it needs a new approach, implementing
both spring security and GWT. Does anybody has a demo code?
Also I found an interesting solution GWT + Openid without spring
security.
http://armelnene.blogspot.com/2009/12/dummies-guide-to-gwt-and-openid-with.html
What do you think?
Mattias
Jul 14, 2010, 5:26:17 PM7/14/10
to Google Web Toolkit
giannisdag
Jul 16, 2010, 6:05:48 AM7/16/10
to Google Web Toolkit
Matias, thank you very much, your guides are very helpful, I am
working on it for the moment. I followed your paradigm changing at
first my code of using spring security, because I followed See Wah
Cheng's approach. The first problem I had is that, after implementing
your configuration I was getting an AccessDeniedException, even though
I had to get an AuthenticationException. Because of this,
http401UnauthorizedEntryPoint wasn't called. So I added in application
context the <security:intercept-url pattern="/**" access="ROLE_USER" /
> directive, in order to have an AuthenticationException. So it
worked. But I am wondering how you get an AuthenticationException at
the first place. The only difference I see, is that I am not using
<!-- Initialize the Spring MVC DispatcherServlet -->
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</
servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
Spring MVC DispatcherServlet.
On 15 Ιούλ, 00:26, Mattias <mattias.ekstr...@gmail.com> wrote:
> Check outhttp://technowobble.blogspot.com/2010/07/gwt-and-open-id-using-spring....
> > the user is redirected to anopenidprovider, logins, and then is
working on it for the moment. I followed your paradigm changing at
first my code of using spring security, because I followed See Wah
Cheng's approach. The first problem I had is that, after implementing
your configuration I was getting an AccessDeniedException, even though
I had to get an AuthenticationException. Because of this,
http401UnauthorizedEntryPoint wasn't called. So I added in application
context the <security:intercept-url pattern="/**" access="ROLE_USER" /
> directive, in order to have an AuthenticationException. So it
worked. But I am wondering how you get an AuthenticationException at
the first place. The only difference I see, is that I am not using
<!-- Initialize the Spring MVC DispatcherServlet -->
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</
servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
Spring MVC DispatcherServlet.
On 15 Ιούλ, 00:26, Mattias <mattias.ekstr...@gmail.com> wrote:
> Check outhttp://technowobble.blogspot.com/2010/07/gwt-and-open-id-using-spring....
>
> On Jul 14, 5:04 pm, giannisdag <pascoua...@gmail.com> wrote:
>
> > Hi I am using spring security, and I would like to enable andopenid
> > login and MVP. I am using spring security at the method level access,
> > not at the page level. Simply, when the user requests an action that
> > it is not allowed, he is redirected to the login view, where he gets
> > two form logins, one with site checking which is done, and one with
> >openid. Spring security is used to catch the method access denial. As
> > I read, generallyopenidworks like this:
> On Jul 14, 5:04 pm, giannisdag <pascoua...@gmail.com> wrote:
>
> > Hi I am using spring security, and I would like to enable andopenid
> > login and MVP. I am using spring security at the method level access,
> > not at the page level. Simply, when the user requests an action that
> > it is not allowed, he is redirected to the login view, where he gets
> > two form logins, one with site checking which is done, and one with
> >openid. Spring security is used to catch the method access denial. As
> > the user is redirected to anopenidprovider, logins, and then is
> > redirected back to the url page. This is done automatically with
> > spring security, but with GWT it needs a new approach, implementing
> > both spring security and GWT. Does anybody has a demo code?
> > Also I found an interesting solution GWT +Openidwithout spring
> > spring security, but with GWT it needs a new approach, implementing
> > both spring security and GWT. Does anybody has a demo code?
giannisdag
Jul 17, 2010, 12:28:53 PM7/17/10
to Google Web Toolkit
I see you handle this in GwtRPCController
giannisdag
Jul 18, 2010, 8:52:04 PM7/18/10
to Google Web Toolkit
Why the access exception is not an unexpectedFailure of the
remoteServiceServlet;
this is my log
SEVERE: [1279499963707000] javax.servlet.ServletContext log:
dispatcher: Exception while executing
com.example.test.shared.model.command.GetUsers: Access is denied
org.springframework.security.access.AccessDeniedException: Access is
denied
at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:
71)
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:
203)
at
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:
64)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:
172)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:
202)
at $Proxy10.execute(Unknown Source)
this is the code of the remoteserviceservlet
@Override
protected void doUnexpectedFailure(Throwable e) {
if (e.getCause() instanceof AccessDeniedException) {
AccessDeniedException ade = (AccessDeniedException) e.getCause();
throw ade;
} else {
super.doUnexpectedFailure(e);
}
}
I would appreciate any help
remoteServiceServlet;
this is my log
SEVERE: [1279499963707000] javax.servlet.ServletContext log:
dispatcher: Exception while executing
com.example.test.shared.model.command.GetUsers: Access is denied
org.springframework.security.access.AccessDeniedException: Access is
denied
at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:
71)
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:
203)
at
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:
64)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:
172)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:
202)
at $Proxy10.execute(Unknown Source)
this is the code of the remoteserviceservlet
@Override
protected void doUnexpectedFailure(Throwable e) {
if (e.getCause() instanceof AccessDeniedException) {
AccessDeniedException ade = (AccessDeniedException) e.getCause();
throw ade;
} else {
super.doUnexpectedFailure(e);
}
}
I would appreciate any help
Reply all
Reply to author
Forward
0 new messages