i want to check this code but the link is broken
On Wednesday, December 21, 2011 10:38:04 AM UTC-4, Thomas Broyer wrote:
-- On Wednesday, December 21, 2011 10:38:04 AM UTC-4, Thomas Broyer wrote:
On Wednesday, December 21, 2011 3:18:25 PM UTC+1, EMan wrote:there have been several posts on RequestFactory security, but I am still not clear. the sample code here:uses a filter to determine if a user can access the RequestFactory service. But what happens once a user authenticates? does he have access to all back end request?Yes.ie, if I have a findById method and a findAll (for my admin users) method in my locator, could a user authenticate, then post to either and receive all the data in my table?Yes.How do we authenticate individual types of request?Either do it at the start of each method (use RequestFactoryServlet.getThreadLocalRequest(). getUserPrincipal() to get the current user). Or create a ServiceLayerDecorator and override the invoke(Method,Object...) method to add the check (probably based on some annotation on the method).I believe you could also use "standard AOP" (Spring AOP or Guice AOP, probably also AspectJ or similar) on your services.We use the second approach, it works very well.
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment