On 31 mar, 11:34, Thomas Broyer <t.bro...@gmail.com> wrote:
> On 31 mar, 12:55, Ivan M <supertra...@gmail.com> wrote:
>
> Every request has to be secured and "verified" on the server side.
> Whether you pass a login/password pair or a "ticket" (that could be
> your session ID, managed "transparently" by your server's session
> handling feature) doesn't change much things, you still have to pass
> along something that the server can check to make sure you're
> authorized to make such a request.
> With an HttpSession, you let the server do this "verification" for you
> (and associate data with this "session"), but be careful about CSRF,
> as securing an app against CSRF needs client-server cooperation
> (cookies and "tokens in URLs" aren't secure *at all*
>
> The thing is, a state-less server is (generally) easier to maintain
> ("reacting" to a request only depends on the request and on the
> server's "data", not any previous state associated with the "user
> session") and easier to scale (first: no need to maintain "sessions",
> so it consumes less memory; then: need two servers instead of one?
> just add the second server and set up a load balancer, no need for
> session-sharing between your servers or "sticky-sessions" at the load-
> balancer level), among other things.
>
> But of course, YMMV.
Thank you, Thomas. I perform authentication against a rather slow LDAP
server, so I can't afford querying this server for every GWT request.
I'm considering tickets but I still don't know how to implement it. I
understand I can use the following as the ticket, so I don't need to
pass an extra parameter:
getThreadLocalRequest().getSession().getId()
I don't want the trouble of storing tickets and their access permits
in the DDBB. Since I read there is one instance of the server running
for all clients, I suppose I can store them in a data structure in the
server. How can I detect that a session has been closed or expired, to
delete the record from the structure?.
Thanks again.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
