tags:

views:

430

answers:

4
+2  Q: 

GWT 2.0 integration with Spring Security 3.0

Hello,

I used GWT 2.0 since a few days. So, I try to code an basic application with a login form and a page accessible only if i am logged.

Usually in my web application with jsf for example, I use Spring Security 3.0 to configure and secure that kind of application. So, I decided to try to do the same thing with my GWT 2.0 application.

I've well configured the server part of Spring Security. So from my GWT login page, I can enter my login/password and the authentication via Spring Security is performed. The redirection to the secured page is done and I can get the connected user via an rpc call to security service that uses the SecurityContext of Spring Security. So, I think that part is ok.

But, I have got a big problem to secure urls. Indeed, I would like to secure the page to restrict access to specific Role like I do with Spring Security usually.

In my GWT application, I use MVP pattern with central application controller. So, I have got only one page and for that page I'm going to differents views when adding #name_of_view to the end of the URL. For example, to access to my login page in development mode, I use the following URL on my browser :

http:// 127.0.0.1:8888/fr.myapp.Application/Application.html?gwt.codesvr=127.0.0.1:9997#login

Once i am correctly logged, I'm going to the following view :

http:// 127.0.0.1:8888/fr.myapp.Application/Application.html?gwt.codesvr=127.0.0.1:9997#pagesecured

Because of that, I don't know how to configure the http tag in Spring Security and how to define URL to intercept to affect them specific roles to restrict access. Furthermore, I think there will be a problem to use these URL between development mode and a classic production mode. No ?

So, someone would have any idea to help me to configure and secure my application using these URLs ? or by using an other technic to secure application with form login ?

Thanks by advance for your help.

Sylvain.

+2  A: 

You can't use page-level security in this scenario, because your views are being changed at the client-side.

The only way to implement a role-based security in such kind application is to use a method-level security in your server-side code. You may also restrict access to your Application.html for non-authenticated users by you creating a spearate non-GWT login page (say, Login.html).

axtavt  2010-05-11 17:23:26
A: 

Agree with @axtavt - In general, you can't use page level security with GWT, because it only is a single page as far as spring security is concerned.

You should do the following -

  1. Secure your RPC URLs. If required, you can use method level security as axtavt pointed out. To hook up RPC with Spring Security, override the onAfterRequestDeserialized(RPCRequest) method in your RPC Servlet. The RPCRequest method has details about the method being invoked and the actual parameters that are being passed to that method. This information is sufficient to prevent one user from updating the records of another user.

  2. In case of an authentication or authorization error in your RPC service, throw appropriate errors and send them to the client. In your client, create a centralized error handler and show the appropriate message to the user.

  3. And finally, in addition to spring security, you may want to protect yourself against XSS and CSRF. Refer to Security for GWT Applications for additional information.

sri  2010-05-11 19:22:04
A: 

First, thanks for your answers.

To secure the rpc services that I export, I thought to use an interceptor-url like that :

It's enough or no ? Or, it's also necessary to secure my services that I export ?

In other part, for my login application, I must follow these steps if I well understood :

1/ create a specific HTML form in Login.html for example and give access to all to that page.

2/ I must post the form in my Application.html that contains the gwt application ? And I must secure the Application.html with Spring Security ? Or better, all in the path fr.myApp.Application ?

It's that or I don't understand all your explanations ?

Sylvain.

sylsau  2010-05-11 19:35:47
sylvain, if you want others to see your subsequent clarification/notes, you need to modify/edit your original question. That way, you are keeping the whole question in one place which makes it easy to get an answer.
anjanb  2010-06-17 08:31:23
A: 

Have a look at my blog post, http://technowobble.blogspot.com/2010/05/gwt-and-spring-security.html for a sample application that integrates GWT and Spring Security. Hopefully, it will give you some ideas on how to implement your specific needs.

Mattias  2010-05-21 20:24:05

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security