Sunday, June 22, 2014

Re: Request Factory Security

Code has moved to, and the "expenses" sample has been retired since then.
You can find the code at (that was the version of the sample that shipped in GWT 2.4.0)

On Thursday, June 19, 2014 8:45:35 PM UTC+2, Clive Cadogan wrote:
i want to check this code but the link is broken

On Wednesday, December 21, 2011 10:38:04 AM UTC-4, Thomas Broyer wrote:

On Wednesday, December 21, 2011 3:18:25 PM UTC+1, EMan wrote:
there have been several posts on RequestFactory security, but I am still not clear.  the sample code here:
uses a filter to determine if a user can access the RequestFactory service.  But what happens once a user authenticates?  does he have access to all back end request?

ie, if I have a findById method and a findAll (for my admin users) method in my locator, could a user authenticate, then post to either and receive all the data in my table?

How do we authenticate individual types of request?

Either do it at the start of each method (use RequestFactoryServlet.getThreadLocalRequest().getUserPrincipal() to get the current user).
Or create a ServiceLayerDecorator and override the invoke(Method,Object...) method to add the check (probably based on some annotation on the method).
I believe you could also use "standard AOP" (Spring AOP or Guice AOP, probably also AspectJ or similar) on your services.

We use the second approach, it works very well.

You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

No comments:

Post a Comment