tags:

views:

809

answers:

4
+1  Q: 

GWT RPC Cookie authentication

I'm using gwt on my glassfish server, and I'm attempting to make some of my RPC calls authenticated via cookies. Is this possible? Are there any examples out there of how to code it?

A: 

I assume that you use GWT's RPC servlet for handling requests made by the client.

One option that comes to my mind is to write and configure a ServletFilter which can examine the cookie, before the request reaches GWT's servlet.

Hans Westerbeek  2010-02-16 06:31:30
+2  A: 

Depending only on the cookie for authentication will make your website/services vulnerable to Cross-Site Request Forging/XSRF/CSRF attacks - read more on that in Security for GWT Applications.

The best way would be to double check the value you get from the cookie and with the one that's been transported to the server by some other means - as part of the request (header, a custom field, etc).

Other than that, there are many tutorials covering the subject - just search for Java (servlet) authentication - it doesn't have to be GWT-specific. The Google Web Toolkit Group also has many threads about the subject.

Igor Klimer  2010-02-16 13:49:55
A: 

You might rethink using cookies as it is a potencial security hole. Why not put your communication to HTTPS?

Drejc  2010-02-16 20:53:16
HTTPS doesn't prevent XSRF attacks, AFAIK, so you're "just" protected from man-in-the-middle attacks. And it has the additional quirk that makes most browsers **not** cache the content of the HTTPS request. Plus, with GWT and all the AJAX stuff, you either keep the website HTTP or HTTPS - mixing them up can lead to some scary warnings on some browsers - not something you want to show to your users :)
Igor Klimer  2010-02-17 02:06:41
True ... but I was thinking putting the whole site under HTTPS not mixing it.
Drejc  2010-02-17 09:36:48
Right, and then the users would have to download the whole application (JS files) every time they use the site, probably complaining how slow it's loading, etc. Of course, if this is a bank site or something similar, security is priority number 1 and the whole site should be https. Nevertheless, my point about cookie-only authentication still holds.
Igor Klimer  2010-02-17 23:32:57
A: 

Can you not just use the standard 'session' scope, i.e.

request.getSession()

A pattern I use in GWT apps is to have a separate 'old fashioned' login form which sets up the session. The GWT app's host page is then displayed after they have successfully logged in.

If the necessary values aren't in the session, then the user isn't logged in. Your service should return an exception, maybe, which instructs the GWT app to redirect to the login page, or display an error.

AlexJReid  2010-02-16 21:20:15

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java