Announcement

Try this.

Hi, I new with smart gwt, but i think to implement my security as the following:
First in order to access some entrypoint the user must go through login.html ->a servlet that verify the login and establish session-> redirects the user to the entry point. And in gwt code(in the RPC services) you can access the user session like this: this.getThreadLocalRequest().getSession()
I am not sure if this is the right approach, but it works. Also if you do not want to use this threadlocalrequest you may try using security like in the swing app for example.

Hi,

I did something like this to build login/logout functionality:

1 - made a username - password database table. (I would encrypt the passwords btw.)
2 - made a GWT service which enables username - password authentication (extends RemoteServiceServlet).
3 - in the Entrypoint.onModuleLoad() I call a getUser()-method on the authentication service.
4 - getUser() looks up the current username as a session attribute: this.getThreadLocalRequest().getSession().getAttribute("username").
5 - if no username is available then the user is not logged in and the client's callback should mask the app and show a login dialog.
6 - the login dialog calls the authenticate(username,password)-method on the authentication service.
7 - if the username - password combination is valid then the username is set as a session attribute and something (not null), e.g. a user-object, is returned to the client.
8 - for every subsequent server request we first check if the user is logged in, i.e. if the username is available as a session attribute.
9 - If the user logs out then we simply remove the corresponding session attribute and show the login dialog again.

It works for me, but I don't know if there are any security holes that I missed. So I do not give any warranties for this approach.

What about user permissions and roles? And session life and expiration? How doi you manage them? How do you manage the content access for specific user with specific role and rights? Is the getThreadLocalRequest() the right approach? What if the gwt project is part from other big project in witch we have many entrypoints on different pages?

I'm asking myself similar questions. What I want to do is set up a very modular authentication system, that allows members of some usergroups to determine the access rights (which can be access denied, read only and write, and later on possibly more) for each page for each user(group). I know how to do this in a plain php/mysql site, but don't have a clue on how to proceed here.

Isn't there a 'user login in smartgwt for dummies' yet? :D

Cheers
BN

In my last gwt project(witch actually was my first gwt project :) ) we created security context with permissions that are all over the code, like standard desktop based application and some httpsession listener for the session invalidation. That works very well by way, but the question is this the right approach, generally in any kind of gwt project, and what about for example struts + gwt project?

I didn't implement user roles and permissions yet, but it is indeed an interesting question that I will have to deal with later on.

Here are my thoughts:

- I would make User, Role and Permission classes in the .client - package. The user should have a Role-attribute (or an array of roles) and each Role has an array of permissions.
- When a user is authenticated the server instantiates the User-object (including roles and permissions) based on the user data in the database.
- This User-object is stored as a session attribute and it is returned to the client/browser.
- The client then can use the User-object to determine which parts of the GUI should be visible or disabled.
- On each request the server checks if it has the User object in it's session attribute.

This way everything about the current user is known both at the client and at the server. If the session expires the server disposes it's User-object, and servlets cannot find it anymore, and thus should return an error code to the client. When the client receives this error code, it knows that the user is no longer logged-in and it can remove it's User-object too, and redirect to the login page.

To prevent typing the same code over and over again, I would extend HttpServlet to check if the current user is logged in on each doGet() and doPost(). Then base all servlets on this extended version. Same for the GWT RPC service implementations.

These were just my thoughts. I did not try it yet. There might be some security issues involved. For example, someone might hack the client to gain access to the User-object. If the User-object would also have the password as an attribute, then that would be really bad. Therefore I would personally make the client very "stupid" as to what data it holds about the user.

About session expiration: I think you can set the expiration time of a session in code. See: http://java.sun.com/products/servlet...tpSession.html (setMaxInactiveInterval)