SessionHandlerListener and SessionRemoteServiceFilter are used only
for session handling - with each RPC request the sessionID is
tranfered in the payload and on the server side is request paired with
the session (based on sessionID from payload). (Security information
are stored in session)
If you annotate UI component with:
@Secured(Grants.SECURITY_MANAGEMENT)
Grants.SECURITY_MANAGEMENT is just String, like in the Spring. This
example is from original acris documentation:
"Example:
Having Grants.SECURITY_MANAGEMENT grant which is just a string equal
to "security_management" we are altering the behaviour of the field
using following annotation:
@Secured(Grants.SECURITY_MANAGEMENT)
protected TextBox securityID;
When the user has the authority ROLE_security_management_VIEW stored
in his profile he will be able to see but not to edit the text box for
security ID. If he has ROLE_security_management_EDIT he will not only
see the field but also edit it."
In a result:
If a user has authority ROLE_security_management_VIEW (thats authority
from spring security UserDetails object/interface) he is able to see
UI objects annotated with
@Secured("security_management") and is able to execute server side
methods annotated with @Secured("ROLE_security_management_VIEW), for
example. The server side security is completly handled by Spring and
is completly compatible with your roles obtained using you
userDetailService.
Basically, acris server side security is not based on the checking the
URL but it checks the method execution permissions and domain level
permissions (aka ACLs).
Hopefully this helps.
Peter
On 29. Júl, 00:54 h., seanrocket <seanrocketjohnc...@gmail.com> wrote:
> Thanks Arthur and Peter for responding.
>
> Peter, I looked at the Acris Security but I noticed that Acris
> Security uses its own filter and not the Spring Security Filter. I
> would like the Annotations in the GWT widget to correspond to the
> Roles(authorities) from Spring Security not Roles that are from Acris
> Filters. Please correct me if I misunderstood Acris Security
>
> If i annotate
>
> �...@secured(Grants.ROLE_ADMIN)
> protected VerticalPanel mainPanel;
>
> then the ROLE_ADMIN should correspond to the authorities I retrieved
> back from Spring Security authentication provider as configured in
> applicationContext-security.xml.
>
> <authentication-manager>
> <authentication-provider user-service-ref='UserDetailsService'/>
> </authentication-manager>
>
> <beans:bean id="UserDetailsService"
>
> class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
> <beans:property name="dataSource" ref="dataSource"/>
> <beans:property name="usersByUsernameQuery">
> <beans:value>SELECT LOGIN_NAME AS username,PASSWORD AS
> password,ACTIVE AS active FROM USERS WHERE LOGIN_NAME = ?</
> beans:value>
> </beans:property>
> <beans:property name="authoritiesByUsernameQuery">
> <beans:value>SELECT a.LOGIN_NAME AS username,b.NAME AS
> role_name
> FROM USERS a, ROLE b, SEC_USER_ROLE c WHERE a.ID = c.UID and b.id =
> c.ROLE_ID and a.LOGIN_NAME = ?</beans:value>
> </beans:property>
> </beans:bean>
>
> Acris uses SessionRemoteServiceFilter and Spring Security uses
> org.springframework.web.filter.DelegatingFilterProxy
>
> Inhttp://code.google.com/p/acris/wiki/SecurityQuickStart, it mentions
> that we should use SessionRemoteServiceFilter
>
> <filter>
> <filter-name>SessionFilter</filter-name>
> <filter-
> class>sk.seges.acris.security.server.SessionRemoteServiceFilter</
> filter-class>
> </filter>
> <filter-mapping>
> <filter-name>SessionFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> <listener>
> <listener-
> class>sk.seges.acris.security.server.SessionHandlerListener</listener-
> class>
> </listener>
>
> where Spring Security requires
>
> <filter>
> <filter-name>springSecurityFilterChain</filter-name>
> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</
> filter-class>
> </filter>
> <filter-mapping>
> <filter-name>springSecurityFilterChain</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <listener>
> <listener-
> class>org.springframework.web.context.ContextLoaderListener</listener-
> class>
> </listener>
>
> On Jul 27, 8:37 am, Peter Simun <si...@seges.sk> wrote:
>
> > Acris has also the client "conditional"security. Have a look
> > on:http://code.google.com/p/acris/wiki/SecurityClient
>
> > Just annotate you panel with
> > @Secured(Grants.ROLE_ADMIN)
> > protected VerticalPanel mainPanel;
>
> > and it will displays only to users which has correctsecurity
> > permission.
>
> > You can study more in the
> > showcase:http://acris.googlecode.com/svn/trunk/acris-security-showcase
>
> > Peter
>
> > On 21. Júl, 00:46 h., seanrocket <seanrocketjohnc...@gmail.com> wrote:
>
> > > I am running GWT2.0.4 andSpringSecurity3.03.
>
> > > I am able to authenticate withSpringSecuritybut have not found a
> > > good way to conditionally render Widgets and Panels based on ROLES
> > > fromSpringSecurity.
>
> > > For example: In the StockWatcher program, if a user has a ROLE_ADMIN
> > > then I want to allow that person to add a addPanel. But If the user
> > > has a role such as ROLE_GUEST who is not a ROLE_ADMIN, that user
> > > should not see the panel
>
> > > I would like to do something like:
> > > public void onModuleLoad() {
> > > .....
> > > // Assemble Main panel.
> > > mainPanel.add(stocksFlexTable);
> > > if(SpringSecurityRole == "ROLE_ADMIN"){
> > > mainPanel.add(addPanel);
> > > }
> > > mainPanel.add(lastUpdatedLabel);
> > > ......
> > > }
> > > I knowUIconditionalrendering can be easily accomplished using jsp
> > > and theSpringSecuritytags (as shown below). But we don't want to
> > > use jsp
>
> > > <sec:authorize access="hasRole('ROLE_ADMIN')">
> > > <input type="submit" value="Add" />
> > > </sec:authorize>
>
> > > I have searched gwt forums , google groups and other GWT book forum
> > > andSpringbook forums and have not found a good solution.
>
> > > I've tried the
> > > acrissecurityhttp://code.google.com/p/acris/wiki/Introduction
> > > but the roles don't seem to come fromSpringSecuritybut rather its
> > > own implementation. It usesSpringSecurityfor server sidesecurity
> > > notUIconditionalrendering.UIconditionalrenderingROLES come from
> > > its own filter
> > > sk.seges.acris.security.server.SessionRemoteServiceFilter and user
> > > define Grants interface.
>
> > > I've also tried gwt-incubator
> > > libhttp://code.google.com/p/gwt-incubator-lib/butthatseems to only
> > > cover authentication and noconditionalrendering.
>
> > > I've seen some news feed about calling back toSpringSecuritybut
> > > didn't know how to accomplish the actual calls.
>
> > > DoCheckUserAuth checkAuth = new DoCheckUserAuth(); boolean b =
> > > checkAuth.askServerAboutUser();
> > > if(b){
> > > RootPanel.get("formPoint").set(new PrivateForm);}
> > > else
> > > {
> > > RootPanel.get("messagePoint").set(new Label("Please, pass
> > > authorization"));
>
> > > Your help is much appreciated
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to google-web-tool...@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
