J2EE user authentication and GWT

Question

I seem to have coded myself into a corner. First let me tell you what my end goal is: I have a GWT app that will have features available to users who are not logged in, and other features only available to authenticated users. When an unauthenticated user clicks on something that requires authentication, I would like a login box to pop up in a modal window, and ask the user to authenticate. (if this is unclear go to digg.com and try to "digg" a story without being logged in, you'll see what I mean)

I have code to add a user and save their username and password (hashed with jBCrypt). I also have an RPC that accepts a username and password and can validate if the password is correct.

My problem is validating the session. I can get the JSESSIONID, but that's the part where I get lost. How do I associate the user's ID with that session, and how do I check that it's still valid?

I know glassfish can manage the session, users & roles for me, but I don't know how to make that work smoothly with GWT. Are there any examples with GWT and authenticating users in a J2EE environment? I've been googling for hours and I've come up with nothing.

Answer 1

Your question is a bit confusing, since I have the impression that you are going in 2 directions at the same time :-).

If you want to use J2EE authentication then you will need to use some plain HTML pages that you can configure in the web.xml. Using RequestBuilder you can actually do the interaction with these pages from GWT code (as we do).

If you want to know more about the user that is authenticated then use the Principal object that comes with the HttpServletRequest. The Principal object has a name attribute.

Using J2EE authentication is very limiting so in most cases we tend to implement our own instead.