Saturday, July 27, 2013

Re: GWT and Web Security

I am wondering if there is anything standards based a servlet container can provide when I only have a static set of permissions and customers can define their own roles by combining these permissions. I pretty much always need something like @PermissionRequired instead of @RolesAllowed in my apps because roles are not static. And in addition to method/class level permissions which only regulate what a user can do in the app I also need to authorize the data a user can see.

My workflow is
1.) UI is build based on a user account's assigned roles and their containing access permissions
2.) User account selects menu item (= access permission) in UI. 
3.) App figures out which of the assigned roles of the account contain the access permission for the selected menu item.
4.) App figures out which data the user account can see based on the active roles calculated in 3.) and filters the data accordingly before sending it to the client UI. 

To make 4.) possible a customer can assign "accessible data" to each role of a given user account. So "accessible data" can vary between user accounts for the same role.

If I am not totally wrong I think JAAS can't help me here and I did not find a lot of information about JASPI but maybe my googling is just bad in this case. Currently the above is a custom implementation but I am wondering if its a "lets re-invent the wheel" thing.

-- J.

You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

No comments:

Post a Comment