Thanks for your answer. I put in place that solution. I have an HTML login form that posts to / j_spring_security_check. The authentification is realized correctly and I secure all my GWT pages with Spring Security.
For my RPC service, for the moment I only secured URL with Spring Security. I will see later if I secure more for that services. For the logout, I use Spring Security fonctionnality with / j_spring_security_logout. On Firefox, it works fine. On Chrome, there is a cache problem. When I do a logout after a login succeeded, Chrome must put in cache Application.html because when I try to access to Application.html the page is well displayed but the rpc call are not succeeded because the server knows that user is not connected. By doing, CRTL + F5 on the page, Application.html becomes not accesible. So, is there a solution to force Chrome to clear cache for that page for example ? Sylvain. On 12 mai, 23:21, Sripathi Krishnan <sripathi.krish...@gmail.com> wrote: > The problem is that /#login and #securepage are the same page as far as > Spring is concerned. The part of the url after the # is not sent to the > server, and so Spring never really sees it. > > I'd recommend creating the login page outside of GWT, as a simple html page. > Then, protect your GWT page (Application.html) using standard spring > security. When someone goes to your application, he will automatically be > redirected to the login page. > > Apart from this, you should also protect all your RPC service urls. If you > want fine grained authorization (eg. prevent one user from modifying records > of another user), then you override the onAfterRequestDeserialized() method > in your RPC Servlet and figure out if the current user has the necessary > authorization. > > --Sri > > On 11 May 2010 22:09, sylvain.saurel <sylvain.sau...@gmail.com> wrote: > > > > > > > Hello, > > > I used GWT 2.0 since a few days. So, I try to code an basic > > application with a login form and a page accessible only if i am > > logged. > > > Usually in my web application with jsf for example, I use Spring > > Security 3.0 to configure and secure that kind of application. > > So, I decided to try to do the same thing with my GWT 2.0 > > application. > > > I've well configured the server part of Spring Security. So from my > > GWT login page, I can enter my login/password and the authentication > > via Spring Security is performed. The redirection to the secured page > > is done and I can get the connected user via an rpc call to security > > service that uses the SecurityContext of Spring Security. So, I think > > that part is ok. > > > But, I have got a big problem to secure urls. Indeed, I would like to > > secure the page to restrict access to specific Role like I do with > > Spring Security usually. > > > In my GWT application, I use MVP pattern with central application > > controller. So, I have got only one page and for that page I'm going > > to differents views when adding #name_of_view to the end of the URL. > > For example, to access to my login page in development mode, I use the > > following URL on my browser : > > >http://127.0.0.1:8888/fr.myapp.Application/Application.html?gwt.codes... > > > Once i am correctly logged, I'm going to the following view : > > >http://127.0.0.1:8888/fr.myapp.Application/Application.html?gwt.codes... > > > Because of that, I don't know how to configure the http tag in Spring > > Security and how to define URL to intercept to affect them specific > > roles to restrict access. > > Furthermore, I think there will be a problem to use these URL between > > development mode and a classic production mode. No ? > > > So, someone would have any idea to help me to configure and secure my > > application using these URLs ? or by using an other technic to secure > > application with form login ? > > > Thanks by advance for your help. > > > Sylvain. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google Web Toolkit" group. > > To post to this group, send email to google-web-tool...@googlegroups.com. > > To unsubscribe from this group, send email to > > google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2Bunsubs > > cr...@googlegroups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/google-web-toolkit?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-tool...@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com. > For more options, visit this group > athttp://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.