There is a pure GWT solution here:GWT Spring Security Integration (PURE GWT, NO JSP)
1,Do not use http element at all (http tag from config namespace)
2,Define your AuthenticationRpcService
3,Add AuthenticationRpcService.authenticate(user,password) method
4,Inject into AuthenticationServiceImpl AuthenticationProvider bean from security-context.xml
5,Implement AuthenticationRpcService.authenticate(user,password) as :
User user = new User(login, password, true, true, true, true, new ArrayList<GrantedAuthority>());
Authentication auth = new UsernamePasswordAuthenticationToken(user, password,
new ArrayList<GrantedAuthority>());
try {
auth = this.authenticationProvider.authenticate(auth);
} catch (BadCredentialsException e) {
throw new ClientSideBadCredentialsException(e.getMessage(), e);
}
SecurityContext sc = new SecurityContextImpl();
sc.setAuthentication(auth);
SecurityContextHolder.setContext(sc);
6,Ensure that spring security filter chain is executed during processing of each your GWT RPC call (to be sure that SecurityContext populated into SecurityContextHolder).
For this sixth step, added blow to web.xml:
<!-- Spring Security related configuration -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/dp_web/service/*</url-pattern>
</filter-mapping>
and blow to applicationContext.xml:
<bean id="springSecurityFilterChain" class="org.springframework.web.filter.DelegatingFilterProxy"/>
Then call authentication service,got blow error:
<p>Problem accessing /service/authenticate. Reason:
<pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.StackOverflowError
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
As you can see there is a dead loop that causes StackOverflowError,and I am not good at spring,after two hours googling,can't figure out a way to solve this problem,so can anybody help me?Thanks.
and blow to applicationContext.xml:
<bean id="springSecurityFilterChain" class="org.springframework.web.filter.DelegatingFilterProxy"/>
In this case, the bean is named "springSecurityFilterChain", which is an internal infrastructure bean created by the namespace to handle web security. Note that you should not use this bean name yourself. Once you’ve added this to yourweb.xml
, you’re ready to start editing your application context file. Web security services are configured using the<http>
element.
<!-- Spring Security related configuration -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/dp_web/service/*</url-pattern>
</filter-mapping>
@Secured({"ROLE_USER"})
<security:global-method-security secured-annotations="enabled" />
User user = new User(login, password, true, true, true, true, new ArrayList<GrantedAuthority>());
Authentication auth = new UsernamePasswordAuthenticationToken(user, password,
new ArrayList<GrantedAuthority>());
try {
auth = this.authenticationProvider.authenticate(auth);
} catch (BadCredentialsException e) {
throw new ClientSideBadCredentialsException(e.getMessage(), e);
}
SecurityContext sc = new SecurityContextImpl();
sc.setAuthentication(auth);
SecurityContextHolder.setContext(sc);
So question is what else I should do except:
1,add
@Secured({"ROLE_USER"}) to parent serviceDoes this mean if add added blow to web.xml:<!-- Spring Security related configuration --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/dp_web/service/*</url-pattern> </filter-mapping>
I must use <http> to configure something in applicationContext.xml?
In my case,I removed above stuff from web.xml,added
@Secured({"ROLE_USER"})
to class ServiceBase and let all other service inherit from it,and added this:
<security:global-method-security secured-annotations="enabled" />
to applicationContext.xml,and remove all other spring security related from it,rerun my web app,all inherited service invokinggive 500 error,so security mechanism do works, but obviously,following code is not enough:User user = new User(login, password, true, true, true, true, new ArrayList<GrantedAuthority>()); Authentication auth = new UsernamePasswordAuthenticationToken(user, password, new ArrayList<GrantedAuthority>()); try { auth = this.authenticationProvider.authenticate(auth); } catch (BadCredentialsException e) { throw new ClientSideBadCredentialsException(e.getMessage(), e); } SecurityContext sc = new SecurityContextImpl(); sc.setAuthentication(auth); SecurityContextHolder.setContext(sc);
So question is what else I should do except:
1,add
@Secured({"ROLE_USER"}) to parent service2,add <security:global-method-security secured-annotations="enabled" /> to applictionContext.xml