On Tuesday, September 20, 2011 9:21:14 AM UTC+2, msanztru wrote: > > I thought about implementing a servlet filter where I would "decript" the > request and see what was the target service and grant or deny acces > depending if the user was logged in or not. But I couldn't figure out how to > do it... (any ideas :) >
Use a ServiceLayerDecorator where you override/implement the invoke() method. FWIW, we put annotations on our service methods, and a ServiceLayerDecorator grants access to them after checking the current user's role against the one required to call the method (similar to @RolesAllowed<http://download.oracle.com/javaee/6/api/javax/annotation/security/RolesAllowed.html>in the JavaEE or JAX-RS world). In our app, the user has to be authenticated, so we have a servlet filter and RequestTransport much like in the Expenses sample). That wouldn't work well for anonymous access (if you let anonymous users in, then you cannot easily communicate back a lack of authentication), hence my proposal of using a different URL in that case (either you use the "open" end point, and an error could mean that you tried to call a method requiring authentication –that would be a bug in your app, or a potential attack–, or you user the "secured" end point and an error could mean that you tried to call a method requiring different privileges –again, that would probably mean a bug in your app, or a potential attack, or possibly that the privileges of the user have changed between the time the UI showed him the actions it could perform, and the time it actually performs them, but that's something you have to deal with in every client-server app; in our app, we cache the user's roles in the session, so that even if you change his privileges, they won't be taken into account until he logs out and in again–). -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/76yBCFsDoyMJ. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
