How it can be done?
- RPC async interface implements ServiceDefTarget. Using this interface, you can set a custom RpcRequestBuilder
- In your custom RpcRequestBuilder, override the doCreate() call super.doCreate() and get an instance of RequestBuilder
- Once you get the instance of RequestBuilder - invoke the setUser() and setPassword() methods
- Alternatively, you may want to pass the username/password as header values. Call the setHeader() method on RequestBuilder to do so.
Its not secure, unless you are using HTTPS for all communication. Even if you are using https, you don't want to maintain the username and password in javascript - it makes you vulnerable if you have a XSS vulnerabilities. And finally, storing the users password in any retrievable form is wrong. Instead, you want to salt and hash passwords. Don't use encryption, because that implies there is a way to recover the password.
Just use standard session techniques. You can login the user once, and then maintain a session on the server side. Your proxy servlet can then invoke the back-end service on behalf of the logged in user, since it has that information in session variables.
--Sri
On 26 May 2010 01:21, Jorel <joel.regen@gmail.com> wrote:
Hi. I have a GWT application running on tomcat that will be using GWT-
RPC to talk to a proxy (gwt servlet). On the proxy I plan on using
preemptive basic authentication to communicate with the backend
server, also running on tomcat. I have figured out how to send the
credentials 'preemptively' to the backend server. So, one approach to
make this work seamlessly from GWT client to backend server is to
somehow inject the username/password into the auth header from within
the GWT client. So, when the user logs into the application, their
username/password could be obtained and injected into the header. The
proxy server (GWT-RPC servlet) would obtain this information and pass
it through to the backend server.
I have the proxy/backend part working fine. I am about to start on
the part where my GWT application injects the username/password into
the header of all requests.
I'm not sure what the best approach is to accomplish this. Does
anyone have a good understanding of how this should be accomplished?
thanks.
jorel
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment