Tuesday, October 30, 2012

Re: Security considerations for GWT applications


I won't be posting that since it is a closed source site and sanitizing it for release is more than I have time for at the moment. However, while there are a lot of configuration files in such a setup, it is just vanilla Spring/GWT/Hibernate for which you can find example projects out on the net.

I just set the failure/success handlers for the <form-login/> tag in Spring Security and then made my login widget POST to the standard login form handler and the custom failure/success handlers return a Login POJO in JSON that is deserialized via AutoBean. I used these, rather than RPC, so that the stock Spring Security setup could be utilized without extending/overriding all of it to login over GWT-RPC.

The only other bit was having a GWT-RPC with methods to get the current user, and a method to determine if we're logged in. These allow the UI to switch to the proper private/public view when the page is loaded. Finally, I made a custom AsyncCallback implementation to gracefully handle session expirations.


You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/BxRXQChmcVUJ.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment