The problem is that /#login and #securepage are the same page as far as
Spring is concerned. The part of the url after the # is not sent to the
server, and so Spring never really sees it.

I'd recommend creating the login page outside of GWT, as a simple html page.
Then, protect your GWT page (Application.html) using standard spring
security. When someone goes to your application, he will automatically be
redirected to the login page.

Apart from this, you should also protect all your RPC service urls. If you
want fine grained authorization (eg. prevent one user from modifying records
of another user), then you override the onAfterRequestDeserialized() method
in your RPC Servlet and figure out if the current user has the necessary
authorization.

--Sri


On 11 May 2010 22:09, sylvain.saurel <sylvain.sau...@gmail.com> wrote:

> Hello,
>
> I used GWT 2.0 since a few days. So, I try to code an basic
> application with a login form and a page accessible only if i am
> logged.
>
> Usually in my web application with jsf for example, I use Spring
> Security 3.0 to configure and secure that kind of application.
> So, I decided to try to do the same thing with my GWT 2.0
> application.
>
> I've well configured the server part of Spring Security. So from my
> GWT login page, I can enter my login/password and the authentication
> via Spring Security is performed. The redirection to the secured page
> is done and I can get the connected user via an rpc call to security
> service that uses the SecurityContext of Spring Security. So, I think
> that part is ok.
>
> But, I have got a big problem to secure urls. Indeed, I would like to
> secure the page to restrict access to specific Role like I do with
> Spring Security usually.
>
> In my GWT application, I use MVP pattern with central application
> controller. So, I have got only one page and for that page I'm going
> to differents views when adding #name_of_view to the end of the URL.
> For example, to access to my login page in development mode, I use the
> following URL on my browser :
>
>
> http://127.0.0.1:8888/fr.myapp.Application/Application.html?gwt.codesvr=127.0.0.1:9997#login
>
> Once i am correctly logged, I'm going to the following view :
>
>
> http://127.0.0.1:8888/fr.myapp.Application/Application.html?gwt.codesvr=127.0.0.1:9997#pagesecured
>
> Because of that, I don't know how to configure the http tag in Spring
> Security and how to define URL to intercept to affect them specific
> roles to restrict access.
> Furthermore, I think there will be a problem to use these URL between
> development mode and a classic production mode. No ?
>
> So, someone would have any idea to help me to configure and secure my
> application using these URLs ? or by using an other technic to secure
> application with form login ?
>
> Thanks by advance for your help.
>
> Sylvain.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google Web Toolkit" group.
> To post to this group, send email to google-web-tool...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/google-web-toolkit?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to google-web-tool...@googlegroups.com.
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/google-web-toolkit?hl=en.

Reply via email to