The most successful method I have used is to use a login filter. - The filter will redirect to a login form if not logged in - If the user is logged in (for example, checking a session var, cookie, or database), the filter wraps the request with a HttpServletRequestWrapper that implements getUserPrincipal() and isUserInRole(String role), and then proceeds to execute the request. - With this, you get some benefits: - You can guarantee that your RPC requests are from an already logged in user - Your RPC code can call getThreadLocalRequest().getUserPrincipal() to find out who is logged in - You can switch to https just for the login, if you wish - For extra credit, you can add a parameter to your filter, to implement roles. For example, apply the filter with a parameter that specifies the 'user' role to your UserRPC servlet, and another filter with a parameter that specifies a required role of 'admin' for your AdminRPC servlet. If the current user tries to access the adminRPC but does not have that role assigned to them, they get denied or redirected to the login page.
To allow persistent logins like the webmail "log in for two weeks" idea, I set a persistent cookie that contains a large random number, and save that in my database, possibly combined with some other key information; If an incoming request does not have a login in the session, I check for the persistent cookie, and validate it and their IP address against the database; if it matches, they're in. The IP address qualifier can be problematic; it can be faked out by SBCs, NATs, and ip spoofing. As well, it sucks for mobile devices that have changing IP addresses. Well I hope that is of some sort of help... Jamie. ----------------------- Search for analog and digital television broadcast antennas in your area: http://www.antennamap.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
