GWT and secure login

1048 views
Skip to first unread message

va...@ant.ee

unread,
Dec 9, 2015, 6:12:10 AM12/9/15
to GWT Users
Hello all,

       I have found GWT project documentation and examples at website fantastic. All major subjects are described with nice examples. What do I really miss there is user login and security (sessions, validation, etc.) Can't really imagine any web-project without user handling. For sure Google has found many articles in this area and basically there are two options as I understand:
  1. https://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
  2. http://examples.javacodegeeks.com/enterprise-java/gwt/gwt-spring-security-example/

      The first article seems to be a bit old though it describes basic principles of custom log-on implementation. Second one seems to be more solid, but I am a bit scare of the fact that just for single page I need to add Spring context. Mixing GWT and Spring does not make me confident I am doing right thing.  Is there other ways to do log-on or these two patterns are the most common?



Thank you.

Ümit Seren

unread,
Dec 9, 2015, 8:37:15 AM12/9/15
to GWT Users
Well as for any SPA (Single Page App)  authentication and authorization is a concern of the server and not really the client. 

This is how I usually do it: 
1.) Make the index.html page dynamic. The backend adds information whether the user is logged in or not (http://www.gwtproject.org/articles/dynamic_host_page.html) when it is rendered.
2.) When GWT loads check the host page and retrieve the user information. If the user is not logged in, display Login Button/Menu item or whatever. 
3.) When the user clicks on the login menu item/button you can either a.) open a GWT dialog and display a form that creates a post request to the backend server or b.) navigate to a seprate Non-GWT login page with a similar form. (I prefer the Non-GWT login page because it is a bit easier)
4.) Once the user submits the form with the credentials, the backend will check if the user credentials are correct and if so will create a session (using a session cookie for example). Usually the backend server/framework will handle this for you.
5.) For the Non-GWT login page you just need to redirect to the dynamic index.html (for the GWT dialog option you probably need to refresh the site).

Based on the user information that you retrieve from the dynamic index.html page you can hide and display specific UI elements.
Nevertheless there is one important rule: YOU SHOULD NEVER TRUST THE CLIENT. 
So you must validate and check every GWT request to the backend. Usually this can be done by a backend framework automcatically. For example with Spring you can annote your service layer with security annotations and the backend will throw an AccessDenied Exception. 

The second example you posted is basically describing this approach and you don't really mix GWT and Spring here because GWT has no idea of the Spring context. 

va...@ant.ee

unread,
Dec 10, 2015, 11:50:57 AM12/10/15
to GWT Users
Thank you Ümit!
I will follow the second approach. It is also described a bit better.

Jonathan Franchesco Torres Baca

unread,
Dec 10, 2015, 6:44:12 PM12/10/15
to google-we...@googlegroups.com

 

     

Jonathan Franchesco Torres Baca

CIO - Kiongo Inc.

Av. Manuel Seoane 761 2do Piso- La Victoria

Teléfono   074 - 613534

Cel.    958429349

La información contenida en este e-mail es confidencial, privilegiada y está dirigida exclusivamente a su destinatario. Su revisión, difusión, distribución o copiado está prohibido. Si ha recibido este e-mail por error por favor bórrelo y envíe un mensaje al remitente.

The information contained in this e-mail is privileged and confidential and is intended only for its addressee. Any review, dissemination, distribution or copying of this is prohibited. If you have received this mail in error please delete the original message and e-mail us.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-tool...@googlegroups.com.
To post to this group, send email to google-we...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages