Some form of credentials (login/password, or more likely a "token" or "session ID") must be sent with each and every request to the server, and the server must check authorizations and/or "profile" (filter, etc.) the response depending on the user who made the request.
-- How you do it exactly is up to you, depends on your server-side technology stack (you're using GWT-RPC, so I'm assuming a Java web app; but there still might be huge differences depending on how you deploy it and how/whether you're going to scale horizontally). Easiest will be to simply store the user in the HttpSession (HttpServerRequest.getSession), so the "session ID" is sent to the browser as a cookie, and the browser then automatically sends it with each request.
Next thing you need to care about though, is CSRF (cross-site request forgery), so you'd want to actually send a "synchronizer token" to the GWT app (and store it in the HttpSession), which will send it in each request (either in a custom HTTP header, or as an argument to your RPC), and the server checks that the received token is the same as the one stored in the session. See https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
This is Web App Security 101 (A2, A4 and A8 in https://www.owasp.org/index.php/Top_10_2013-Top_10 )
Last note: I'd store the user (and csrf token) on the client-side in a "global variable", and not use it in the URL.
On Monday, June 6, 2016 at 3:29:19 PM UTC+2, Olar Andrei wrote:
On Monday, June 6, 2016 at 3:29:19 PM UTC+2, Olar Andrei wrote:
Well, the login is done as down belowusername, password); }@Overridepublic void onFailure(Throwable reason) {// TODO Auto-generated method stub}});private static void performUserConnection(String username, String password) {DOM.getElementById("loading").getStyle().setDisplay(Display. BLOCK); DBConnectionAsync rpcService = (DBConnectionAsync) GWT.create(DBConnection.class); ServiceDefTarget target = (ServiceDefTarget) rpcService;String moduleRelativeURL = GWT.getModuleBaseURL() + "DBConnectionImpl";target.setServiceEntryPoint(moduleRelativeURL); rpcService.authenticateUser(username, password, new AsyncCallback<User>() { @Overridepublic void onSuccess(User user) {DOM.getElementById("loading").getStyle().setDisplay(Display. NONE); if (user.getType().equals("User")) { String username = user.getUsername();presenter.goTo(new UserPlace(username));} else if (user.getType().equals("Admin")) { String username = user.getUsername();presenter.goTo(new AdminPlace(username));}}@Overridepublic void onFailure(Throwable caught) {DOM.getElementById("loading").getStyle().setDisplay(Display. NONE); DialogBox dialogBox = createDialogBox();dialogBox.setGlassEnabled(true); dialogBox.setAnimationEnabled(true); dialogBox.center();dialogBox.show();}}
});
So there is a form, the username and password are sent to the server using rpc, on the user is checked and the password verified (BCrypt hash), and then if they match, in the onSuccess() method the user is redirected to the new Place with the username as token.How should I change this ?
luni, 6 iunie 2016, 14:47:47 UTC+3, Olar Andrei a scris:Hello,For now my aplication (MVP) has a login page, and 2 other palces, the AdminPlace and the UserPlace.My URL looks like this:The login form consists of username and password, where the username is passed as a token to the next Place.A user can't connect if he does not know the password, but let's say I'm logged in like in the link above. If I change the Admin to Admin2 or whatever, I still can see the page content. I don't want this. How can I avoid this ?Thanks in advance
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment