How to restrict some module of GWT based application from accessing it directly via url

Question

I have to secure a section of my GWT based application from accessing it directly via some url.

Actually there is an index page which is login page. The use gives credentials and enters into the app (the module to be saved).

Currently what I am doing is that when a user logs in I save his username into session ( session.setAttribute(“username”, username) ) and load the required view of user.

Now whenever user navigates the application I call a method via RPC which checks if the “username” attribute is set or not in the session; if it is set then method returns true and false otherwise. And of course if it returned false then I load the index view of application (which says user to log in).

Now I have to call this method before I load any module which should be accessed by loggined user only to restrict illegal access via url etc.

From the scenario given above kindly guide me; if it is the right strategy to secure some module. Or are there other good ways to do the same thing.

Cheers! Raza

Answer 1

While your approach would work, I feel a Servlet Filter is the best place to authorize web server requests. Since all the requests have to pass through the filters before hitting the servlet, this is the best place to make proceed/abort/redirect decisions, based on the url pattern and your session attributes.

Having ( /* ) security filters also ensures that all your web app requests pass through the authorization test first, leaving the servlet code to just do the business stuff.