GWT Session/login

[Renato Beserra]

Hey guys,

I am developing a GWT application that requires login and I am using GWT RPC. I implemented a simple login/session feature that is handled with calls to the database to verify the authenticity of the session ID.   

I know that this is not efficient, but i am hesitating to use HTTPSession because i didn't find good information about its use with GWT.

So, my question is: Should I use HTTPSession? I have the feeling that everything would stay only at memory and that could make the application less robust.

I have concerns regarding security so I intend to use a HTTPS connection. Is that enough to prevent forged requests?

I am just getting started with web development, so any links and explanations would be very useful.

I already looked the following links about this subject:

http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications?pli=1

http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ

Thanks in advance!

--
Renato Beserra Sousa

Brazil

[Juan Pablo Gardella]

Use a framework to manage security concern, for example Spring Security. This framework use HttpSession for example

2011/5/26 Renato Beserra <renato...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-we...@googlegroups.com.
To unsubscribe from this group, send email to google-web-tool...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

[Renato Beserra]

Do you know if the integration is easy? I searched the web and found some examples but they seem complex. Basically, i need to check some permissions in the database given a session and a user id. Do you think that Spring is suitable for that situation?

Thanks Juan!

2011/5/26 Juan Pablo Gardella <gardella...@gmail.com>

--
Renato Beserra Sousa

[Juan Pablo Gardella]

Yes is easy and powerfull. I'll make a sample and share to you.

2011/5/27 Renato Beserra <renato...@gmail.com>

[Renato Beserra]

Thanks a lot Juan, it will be very useful!

2011/5/27 Juan Pablo Gardella <gardella...@gmail.com>

--
Renato Beserra Sousa

[Juan Pablo Gardella]

Here you are:

https://bitbucket.org/gardellajuanpablo/gwt-sample/wiki/Home

If you have any question ask me :)

Regards,

Juan

2011/5/27 Renato Beserra <renato...@gmail.com>

[Renato Beserra]

Amazing example! I will work on this next week. 

Thank you very much! :)

[Renato Beserra]

Hi Juan, 

Thanks again for the example.

I managed to run it today, the installation was easy but i have a few questions.

1) Should the database be auto generated and populated?  I am using m2eclipse and I used the following commands:

maven install

maven package

maven package jetty:deploy-war

The app is running and i can login but i see no "provincias" nor "partidos", is that right?

I didn't got any build errors.

2) It is not clear to me where the login is implemented. I was expecting something like a "login Service" to make the bridge between GWT and spring-security but i didn't find one. Could you explain me how the login is handled?

Thanks in advance!

[Juan Pablo Gardella]

You don't need make mvn package every time, and don't need install.

You do mvn package one time. Then always mvn jetty:deploy. If you change some classes, you must package again. To run in hosted mode, mvn gwt:run. But is better run hosted mode inside eclipse.

1) src/main/resources/import.sql is used to populated the database. JPA annotation to generate.

2) See WEB-INF/applicationContext-security.xml. You can develop a LoginService as wrapper of spring security.

public class LoginService implements ILoginService{

@Inject

ApplicationContext applicationContext;

private Collection<GrantedAuthority> getAuthorities() {

return getAuthorities(SecurityContextHolder.getContext()

.getAuthentication());

}

private Collection<GrantedAuthority> getAuthorities(Authentication auth) {

Collection<GrantedAuthority> roles = new HashSet<GrantedAuthority>();

if (auth == null)

throw new AuthenticationCredentialsNotFoundException(

"No Authentication");

Object obj = auth.getPrincipal();

if (obj instanceof UserDetails)

roles = ((UserDetails) obj).getAuthorities();

return roles;

}

public String getUserName() {

return getUserName(SecurityContextHolder.getContext()

.getAuthentication());

}

private String getUserName(Authentication auth) {

if (null == auth)

throw new AuthenticationCredentialsNotFoundException(

"No Authentication");

Object obj = auth.getPrincipal();

String username = "";

if (obj instanceof UserDetails)

username = ((UserDetails) obj).getUsername();

else

username = obj.toString();

return username;

}

public boolean hasRol(String rol) {

for (GrantedAuthority authority : getAuthorities()) {

if (authority.getAuthority().equals(rol))

return true;

}

return false;

}

public boolean isLogged() {

Authentication auth = SecurityContextHolder.getContext()

.getAuthentication();

if (auth == null)

return false;

return true;

}

public void logout() {

SecurityContextHolder.getContext().setAuthentication(null);

}

                private HashSet<String> roles(Authentication authentication) {

HashSet<String> roles = new HashSet<String>();

Collection<GrantedAuthority> _roles = getAuthorities(authentication);

for (GrantedAuthority gr : _roles) {

roles.add(gr.getAuthority());

}

return roles;

}

}

Juan 

2011/6/16 Renato Beserra <renato...@gmail.com>

[Renato Beserra]

1) Got it!

2) That is exactly the file I was looking for. 

Now i can test spring security with my own project.

Thank you!

2011/6/16 Juan Pablo Gardella <gardella...@gmail.com>

--
Renato Beserra Sousa