Tuesday, October 30, 2012

Re: Security considerations for GWT applications

Hoffer,

I won't be posting that since it is a closed source site and sanitizing it for release is more than I have time for at the moment. However, while there are a lot of configuration files in such a setup, it is just vanilla Spring/GWT/Hibernate for which you can find example projects out on the net.

I just set the failure/success handlers for the <form-login/> tag in Spring Security and then made my login widget POST to the standard login form handler and the custom failure/success handlers return a Login POJO in JSON that is deserialized via AutoBean. I used these, rather than RPC, so that the stock Spring Security setup could be utilized without extending/overriding all of it to login over GWT-RPC.

The only other bit was having a GWT-RPC with methods to get the current user, and a method to determine if we're logged in. These allow the UI to switch to the proper private/public view when the page is loaded. Finally, I made a custom AsyncCallback implementation to gracefully handle session expirations.

Sincerely,
Joseph


--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/BxRXQChmcVUJ.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment