login/logout/remember
Hi, I cannot find a minimalistic example that shows how to realize a login/ logout functionality. Could please someone point me to such an example? I also wonder where to put the different things. For example, the code that immediately reacts on the "login" button could be placed within the "client" folder of a GWT project, or it could be realized as a servlet. When do I use a servlet and how? Thank you! Magnus -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: login/logout/remember
Hi Alpine Bluster,
look at this code:
public void onModuleLoad() {
this.setLoginPanel();
loginButton = new Button("Login");
loginButton.addListener(new ButtonListenerAdapter() {
public void onClick(Button button, EventObject e) {
userAuthentication();
}
});
formPanel.addButton(loginButton);
formPanel.setBorder(false);
loginPanel.add(formPanel);
Element appPanelEl = loginPanel.getElement();
@SuppressWarnings("unused")
KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() {
{
setKey(EventObject.ENTER);
setKeyListener(new KeyListener() {
public void onKey(int key, EventObject e) {
loginButton.focus();
}
});
}
});
RootPanel.get("login_widget").add(loginPanel);
}
private void userAuthentication() {
if (this.userNameField.getValueAsString().equals(""))
Window.alert("username must not be empty.");
else {
loginService = GWT.create(LoginService.class);
String username = this.userNameField.getValueAsString();
String password = this.passwordField.getValueAsString();
this.loginService.login(username, password,
new AsyncCallback() {
public void onFailure(Throwable caught) {
Window.alert("server side failure: " + caught);
}
public void onSuccess(LoginResponse result) {
if (result.isLoginSuccess()){
Window.Location.replace("./../Main.html");
}
else Window.alert("username or password invalid.");
}
});
}
}
...
FOR LOGOUT
private Panel northPanel = new Panel();
Toolbar toolbar = new Toolbar();
ToolbarButton logoutButton = new ToolbarButton("Sign Out");
logoutButton.addListener( new ButtonListenerAdapter() {
public void onClick( Button button, EventObject e ) {
LoginServiceAsync service = GWT.create(LoginService.class);
service.logout(new AsyncCallback() {
@Override
public void onFailure(Throwable caught) {
caught.printStackTrace();
}
@Override
public void onSuccess(Void result) {
Window.Location.replace("./../Login.html");
}
});
}
});
tabPanel = new TabPanel();
toolbar.addFill();
toolbar.addText("welcome," + someUser..);
toolbar.addSeparator();
toolbar.addButton(logoutButton);
tabPanel.setWidth(NORMALIZE_SPACING);
tabPanel.setTopToolbar(toolbar);
northPanel.add(tabPanel);
On Wed, Jun 2, 2010 at 5:25 PM, Magnus wrote:
> Hi,
>
> I cannot find a minimalistic example that shows how to realize a login/
> logout functionality.
> Could please someone point me to such an example?
>
> I also wonder where to put the different things. For example, the code
> that immediately reacts on the "login" button could be placed within
> the "client" folder of a GWT project, or it could be realized as a
> servlet.
>
> When do I use a servlet and how?
>
> Thank you!
> Magnus
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google Web Toolkit" group.
> To post to this group, send email to google-web-tool...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-web-toolkit+unsubscr...@googlegroups.com
> .
> For more options, visit this group at
> http://groups.google.com/group/google-web-toolkit?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to google-web-tool...@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
Re: login/logout/remember
Hi,
thank you for the code! I adopted it to my application.
So you authenticate the user via the remote service! But how do you
actually store the user context the app is running in? Do you do some
session management?
Thanks
Magnus
On Jun 2, 7:15 pm, Bruno Lopes wrote:
> Hi Alpine Bluster,
>
> look at this code:
>
> public void onModuleLoad() {
>
> this.setLoginPanel();
>
> loginButton = new Button("Login");
>
> loginButton.addListener(new ButtonListenerAdapter() {
>
> public void onClick(Button button, EventObject e) {
>
> userAuthentication();
>
> }
> });
>
> formPanel.addButton(loginButton);
>
> formPanel.setBorder(false);
>
> loginPanel.add(formPanel);
>
> Element appPanelEl = loginPanel.getElement();
>
> @SuppressWarnings("unused")
>
> KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() {
>
> {
>
> setKey(EventObject.ENTER);
>
> setKeyListener(new KeyListener() {
>
> public void onKey(int key, EventObject e) {
>
> loginButton.focus();
>
> }
> });
> }
> });
>
> RootPanel.get("login_widget").add(loginPanel);
>
> }
>
> private void userAuthentication() {
>
> if (this.userNameField.getValueAsString().equals(""))
>
> Window.alert("username must not be empty.");
>
> else {
>
> loginService = GWT.create(LoginService.class);
>
> String username = this.userNameField.getValueAsString();
>
> String password = this.passwordField.getValueAsString();
>
> this.loginService.login(username, password,
>
> new AsyncCallback() {
>
> public void onFailure(Throwable caught) {
>
> Window.alert("server side failure: " + caught);
>
> }
>
> public void onSuccess(LoginResponse result) {
>
> if (result.isLoginSuccess()){
>
> Window.Location.replace("./../Main.html");
>
> }
>
> else Window.alert("username or password invalid.");
>
> }
> });
> }
> }
>
> ...
>
> FOR LOGOUT
>
>
> private Panel northPanel = new Panel();
>
>
>
> Toolbar toolbar = new Toolbar();
>
> ToolbarButton logoutButton = new ToolbarButton("Sign Out");
>
> logoutButton.addListener( new ButtonListenerAdapter() {
>
> public void onClick( Button button, EventObject e ) {
>
> LoginServiceAsync service = GWT.create(LoginService.class);
>
> service.logout(new AsyncCallback() {
>
> @Override
>
> public void onFailure(Throwable caught) {
>
> caught.printStackTrace();
>
> }
>
> @Override
>
> public void onSuccess(Void result) {
>
> Window.Location.replace("./../Login.html");
>
> }
> });
> }
> });
>
> tabPanel = new TabPanel();
>
> toolbar.addFill();
>
> toolbar.addText("welcome," + someUser..);
>
> toolbar.addSeparator();
>
> toolbar.addButton(logoutButton);
>
> tabPanel.setWidth(NORMALIZE_SPACING);
>
> tabPanel.setTopToolbar(toolbar);
>
> northPanel.add(tabPanel);
>
> On Wed, Jun 2, 2010 at 5:25 PM, Magnus wrote:
> > Hi,
>
> > I cannot find a minimalistic example that shows how to realize a login/
> > logout functionality.
> > Could please someone point me to such an example?
>
> > I also wonder where to put the different things. For example, the code
> > that immediately reacts on the "login" button could be placed within
> > the "client" folder of a GWT project, or it could be realized as a
> > servlet.
>
> > When do I use a servlet and how?
>
> > Thank you!
> > Magnus
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Google Web Toolkit" group.
> > To post to this group, send email to google-web-tool...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > google-web-toolkit+unsubscr...@googlegroups.com
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/google-web-toolkit?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to google-web-tool...@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
Re: login/logout/remember
YES
on the server side I have something like this:
public class PadroesSession implements Serializable{
private static PadroesSession padroesSession=null;
public static PadroesSession getInstance(){
if(padroesSession == null){
padroesSession = new PadroesSession();
return padroesSession;
} else {
return padroesSession;
}
}
private PadroesSession(){
}
private static final String USER_SESSION = "userSession";
private HttpServletRequest request = null;
private HttpSession session = null;
public PersonDTO getUser(){
if(null == session) return null;
return session.getAttribute(USER_SESSION) != null ?
(PersonDTO)session.getAttribute(USER_SESSION) : null;
}
public HttpSession getSession(){
return session;
}
public void invalidate(){
if(request!=null)
if(request.getSession(false)!= null)
request.getSession(false).invalidate();
if(null != session){
session.invalidate();
session = null;
}
}
public void setUser(PersonDTO user){
if(null == user){
if(session!=null) session.removeAttribute(USER_SESSION);
return;
}
if(null != request)
this.session = request.getSession(true);
if(session!=null) session.setAttribute(USER_SESSION, user);
}
public String getId(){
return request.getSession(false).getId();
}
public HttpServletRequest getRequest() {
return request;
}
public void setRequest(HttpServletRequest request) {
this.request = request;
}
}
On Thu, Jun 3, 2010 at 2:45 PM, Magnus wrote:
> Hi,
>
> thank you for the code! I adopted it to my application.
>
> So you authenticate the user via the remote service! But how do you
> actually store the user context the app is running in? Do you do some
> session management?
>
> Thanks
> Magnus
>
>
> On Jun 2, 7:15 pm, Bruno Lopes wrote:
> > Hi Alpine Bluster,
> >
> > look at this code:
> >
> > public void onModuleLoad() {
> >
> > this.setLoginPanel();
> >
> > loginButton = new Button("Login");
> >
> > loginButton.addListener(new ButtonListenerAdapter() {
> >
> > public void onClick(Button button, EventObject e) {
> >
> > userAuthentication();
> >
> > }
> > });
> >
> > formPanel.addButton(loginButton);
> >
> > formPanel.setBorder(false);
> >
> > loginPanel.add(formPanel);
> >
> > Element appPanelEl = loginPanel.getElement();
> >
> > @SuppressWarnings("unused")
> >
> > KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() {
> >
> > {
> >
> > setKey(EventObject.ENTER);
> >
> > setKeyListener(new KeyListener() {
> >
> > public void onKey(int key, EventObject e) {
> >
> > loginButton.focus();
> >
> > }
> > });
> > }
> > });
> >
> > RootPanel.get("login_widget").add(loginPanel);
> >
> > }
> >
> > private void userAuthentication() {
> >
> > if (this.userNameField.getValueAsString().equals(""))
> >
> > Window.alert("username must not be empty.");
> >
> > else {
> >
> > loginService = GWT.create(LoginService.class);
> >
> > String username = this.userNameField.getValueAsString();
> >
> > String password = this.passwordField.getValueAsString();
> >
> > this.loginService.login(username, password,
> >
> > new AsyncCallback() {
> >
> > public void onFailure(Throwable caught) {
> >
> > Window.alert("server side failure: " + caught);
> >
> > }
> >
> > public void onSuccess(LoginResponse result) {
> >
> > if (result.isLoginSuccess()){
> >
> > Window.Location.replace("./../Main.html");
> >
> > }
> >
> > else Window.alert("username or password invalid.");
> >
> > }
> > });
> > }
> > }
> >
> > ...
> >
> > FOR LOGOUT
> >
> >
> > private Panel northPanel = new Panel();
> >
> >
> >
> > Toolbar toolbar = new Toolbar();
> >
> > ToolbarButton logoutButton = new ToolbarButton("Sign Out");
> >
> > logoutButton.addListener( new ButtonListenerAdapter() {
> >
> > public void onClick( Button button, EventObject e ) {
> >
> > LoginServiceAsync service = GWT.create(LoginService.class);
> >
> > service.logout(new AsyncCallback() {
> >
> > @Override
> >
> > public void onFailure(Throwable caught) {
> >
> > caught.printStackTrace();
> >
> > }
> >
> > @Override
> >
> > public void onSuccess(Void result) {
> >
> > Window.Location.replace("./../Login.html");
> >
> > }
> > });
> > }
> > });
> >
> > tabPanel = new TabPanel();
> >
> > toolbar.addFill();
> >
> > toolbar.addText("welcome," + someUser..);
> >
> > toolbar.addSeparator();
> >
> > toolbar.addButton(logoutButton);
> >
> > tabPanel.setWidth(NORMALIZE_SPACING);
> >
> > tabPanel.setTopToolbar(toolbar);
> >
> > northPanel.add(tabPanel);
> >
> > On Wed, Jun 2, 2010 at 5:25 PM, Magnus
> wrote:
> > > Hi,
> >
> > > I cannot find a minimalistic example that shows how to realize a login/
> > > logout functionality.
> > > Could please someone poi
Re: login/logout/remember
Then on the server side for the LoginService
public LoginResponse login(String username, String password) {
LoginPService loginService = ServiceLocator.getLoginService();
PersonDTO personDTO = null;
try {
personDTO = loginService.getUserByUsername(username);
if (personDTO == null){
//.getInstance().info("Utilizador n√£o encontrado: "+username);
return new LoginResponse(false, false);
} else if (!loginService.checkPassword(password)){
//UCCLogger.getInstance().info("Password errada do utilizador:
"+username);
return new LoginResponse(false, false);
}
} catch (Throwable e) {
return new LoginResponse(false, false);
}
LoginResponse response = new LoginResponse();
response.setLoginSuccess(true);
PadroesSession padroesSession = PadroesSession.getInstance();
padroesSession.setRequest(getThreadLocalRequest());
padroesSession.setUser(personDTO);
return response;
}
On Thu, Jun 3, 2010 at 9:33 PM, Bruno Lopes
wrote:
> YES
> on the server side I have something like this:
>
> public class PadroesSession implements Serializable{
>
> private static PadroesSession padroesSession=null;
>
> public static PadroesSession getInstance(){
> if(padroesSession == null){
> padroesSession = new PadroesSession();
> return padroesSession;
> } else {
> return padroesSession;
> }
> }
>
> private PadroesSession(){
>
> }
>
> private static final String USER_SESSION = "userSession";
> private HttpServletRequest request = null;
> private HttpSession session = null;
>
>
> public PersonDTO getUser(){
>
> if(null == session) return null;
>
> return session.getAttribute(USER_SESSION) != null ?
> (PersonDTO)session.getAttribute(USER_SESSION) : null;
>
> }
>
> public HttpSession getSession(){
> return session;
> }
>
> public void invalidate(){
> if(request!=null)
> if(request.getSession(false)!= null)
> request.getSession(false).invalidate();
> if(null != session){
> session.invalidate();
> session = null;
> }
>
>
> }
>
> public void setUser(PersonDTO user){
> if(null == user){
> if(session!=null) session.removeAttribute(USER_SESSION);
> return;
> }
>
> if(null != request)
> this.session = request.getSession(true);
>
> if(session!=null) session.setAttribute(USER_SESSION, user);
> }
>
> public String getId(){
> return request.getSession(false).getId();
> }
>
> public HttpServletRequest getRequest() {
> return request;
> }
>
> public void setRequest(HttpServletRequest request) {
> this.request = request;
>
> }
>
> }
>
>
> On Thu, Jun 3, 2010 at 2:45 PM, Magnus wrote:
>
>> Hi,
>>
>> thank you for the code! I adopted it to my application.
>>
>> So you authenticate the user via the remote service! But how do you
>> actually store the user context the app is running in? Do you do some
>> session management?
>>
>> Thanks
>> Magnus
>>
>>
>> On Jun 2, 7:15 pm, Bruno Lopes wrote:
>> > Hi Alpine Bluster,
>> >
>> > look at this code:
>> >
>> > public void onModuleLoad() {
>> >
>> > this.setLoginPanel();
>> >
>> > loginButton = new Button("Login");
>> >
>> > loginButton.addListener(new ButtonListenerAdapter() {
>> >
>> > public void onClick(Button button, EventObject e) {
>> >
>> > userAuthentication();
>> >
>> > }
>> > });
>> >
>> > formPanel.addButton(loginButton);
>> >
>> > formPanel.setBorder(false);
>> >
>> > loginPanel.add(formPanel);
>> >
>> > Element appPanelEl = loginPanel.getElement();
>> >
>> > @SuppressWarnings("unused")
>> >
>> > KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() {
>> >
>> > {
>> >
>> > setKey(EventObject.ENTER);
>> >
>> > setKeyListener(new KeyListener() {
>> >
>> > public void onKey(int key, EventObject e) {
>> >
>> > loginButton.focus();
>> >
>> > }
>> > });
>> > }
>> > });
>> >
>> > RootPanel.get("login_widget").add(loginPanel);
>> >
>> > }
>> >
>> > private void userAuthentication() {
>> >
>> > if (this.userNameField.getValueAsString().equals(""))
>> >
>> > Window.alert("username must not be empty.");
>> >
>> > else {
>> >
>> > loginService = GWT.create(LoginService.class);
>> >
>> > String username = this.userNameField.getValueAsString();
>> >
>> > String password = this.passwordField.getValueAsString();
>> >
>> > this.loginService.login(username, password,
>> >
>> > new AsyncCallback() {
>> >
>> > public void onFailure(Throwable caught) {
>> >
>> > Window.alert("server side failure: " + caught);
>> >
>> > }
>> >
>> > public void onSuccess(LoginResponse result) {
>> >
>> > if (result.isLoginSuccess()){
>> >
>> > Window.Location.replace("./../Main.html");
>> >
>> > }
>> >
>> > e
Re: login/logout/remember
What's PersonDTO?
Magnus
On 3 Jun., 22:36, Bruno Lopes wrote:
> Then on the server side for the LoginService
>
> public LoginResponse login(String username, String password) {
> LoginPService loginService = ServiceLocator.getLoginService();
> PersonDTO personDTO = null;
>
> try {
>
> personDTO = loginService.getUserByUsername(username);
>
> if (personDTO == null){
> //.getInstance().info("Utilizador n√£o encontrado: "+username);
> return new LoginResponse(false, false);
> } else if (!loginService.checkPassword(password)){
> //UCCLogger.getInstance().info("Password errada do utilizador:
> "+username);
> return new LoginResponse(false, false);
> }
>
> } catch (Throwable e) {
> return new LoginResponse(false, false);
> }
>
> LoginResponse response = new LoginResponse();
> response.setLoginSuccess(true);
>
> PadroesSession padroesSession = PadroesSession.getInstance();
> padroesSession.setRequest(getThreadLocalRequest());
>
> padroesSession.setUser(personDTO);
> return response;
> }
>
> On Thu, Jun 3, 2010 at 9:33 PM, Bruno Lopes
> wrote:
>
> > YES
> > on the server side I have something like this:
>
> > public class PadroesSession implements Serializable{
>
> > private static PadroesSession padroesSession=null;
>
> > public static PadroesSession getInstance(){
> > if(padroesSession == null){
> > padroesSession = new PadroesSession();
> > return padroesSession;
> > } else {
> > return padroesSession;
> > }
> > }
>
> > private PadroesSession(){
>
> > }
>
> > private static final String USER_SESSION = "userSession";
> > private HttpServletRequest request = null;
> > private HttpSession session = null;
>
> > public PersonDTO getUser(){
>
> > if(null == session) return null;
>
> > return session.getAttribute(USER_SESSION) != null ?
> > (PersonDTO)session.getAttribute(USER_SESSION) : null;
>
> > }
>
> > public HttpSession getSession(){
> > return session;
> > }
>
> > public void invalidate(){
> > if(request!=null)
> > if(request.getSession(false)!= null)
> > request.getSession(false).invalidate();
> > if(null != session){
> > session.invalidate();
> > session = null;
> > }
>
> > }
>
> > public void setUser(PersonDTO user){
> > if(null == user){
> > if(session!=null) session.removeAttribute(USER_SESSION);
> > return;
> > }
>
> > if(null != request)
> > this.session = request.getSession(true);
>
> > if(session!=null) session.setAttribute(USER_SESSION, user);
> > }
>
> > public String getId(){
> > return request.getSession(false).getId();
> > }
>
> > public HttpServletRequest getRequest() {
> > return request;
> > }
>
> > public void setRequest(HttpServletRequest request) {
> > this.request = request;
>
> > }
>
> > }
>
> > On Thu, Jun 3, 2010 at 2:45 PM, Magnus wrote:
>
> >> Hi,
>
> >> thank you for the code! I adopted it to my application.
>
> >> So you authenticate the user via the remote service! But how do you
> >> actually store the user context the app is running in? Do you do some
> >> session management?
>
> >> Thanks
> >> Magnus
>
> >> On Jun 2, 7:15 pm, Bruno Lopes wrote:
> >> > Hi Alpine Bluster,
>
> >> > look at this code:
>
> >> > public void onModuleLoad() {
>
> >> > this.setLoginPanel();
>
> >> > loginButton = new Button("Login");
>
> >> > loginButton.addListener(new ButtonListenerAdapter() {
>
> >> > public void onClick(Button button, EventObject e) {
>
> >> > userAuthentication();
>
> >> > }
> >> > });
>
> >> > formPanel.addButton(loginButton);
>
> >> > formPanel.setBorder(false);
>
> >> > loginPanel.add(formPanel);
>
> >> > Element appPanelEl = loginPanel.getElement();
>
> >> > �...@suppresswarnings("unused")
>
> >> > KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() {
>
> >> > {
>
> >> > setKey(EventObject.ENTER);
>
> >> > setKeyListener(new KeyListener() {
>
> >> > public void onKey(int key, EventObject e) {
>
> >> > loginButton.focus();
>
> >> > }
> >> > });
> >> > }
> >> > });
>
> >> > RootPanel.get("login_widget").add(loginPanel);
>
> >> > }
>
> >> > private void userAuthentication() {
>
> >> > if (this.userNameField.getValueAsString().equals(""))
>
> >> > Window.alert("username must not be empty.");
>
> >> > else {
>
> >> > loginService = GWT.create(LoginService.class);
>
> >> > String username = this.userNameField.getValueAsString();
>
> >> > String password = this.passwordField.getValueAsString();
>
> >> > this.loginService.login(username, password,
>
> >> > new AsyncCallback() {
>
> >> > public void onFailure(Throwable caught) {
>
> >> > Window.alert("s
Re: login/logout/remember
An serializable object from the persistence side.
On Wed, Jun 16, 2010 at 6:46 AM, Magnus wrote:
> What's PersonDTO?
>
> Magnus
>
> On 3 Jun., 22:36, Bruno Lopes wrote:
> > Then on the server side for the LoginService
> >
> > public LoginResponse login(String username, String password) {
> > LoginPService loginService = ServiceLocator.getLoginService();
> > PersonDTO personDTO = null;
> >
> > try {
> >
> > personDTO = loginService.getUserByUsername(username);
> >
> > if (personDTO == null){
> > //.getInstance().info("Utilizador n√£o encontrado:
> "+username);
> > return new LoginResponse(false, false);
> > } else if (!loginService.checkPassword(password)){
> > //UCCLogger.getInstance().info("Password errada do
> utilizador:
> > "+username);
> > return new LoginResponse(false, false);
> > }
> >
> > } catch (Throwable e) {
> > return new LoginResponse(false, false);
> > }
> >
> > LoginResponse response = new LoginResponse();
> > response.setLoginSuccess(true);
> >
> > PadroesSession padroesSession = PadroesSession.getInstance();
> > padroesSession.setRequest(getThreadLocalRequest());
> >
> > padroesSession.setUser(personDTO);
> > return response;
> > }
> >
> > On Thu, Jun 3, 2010 at 9:33 PM, Bruno Lopes
> > wrote:
> >
> > > YES
> > > on the server side I have something like this:
> >
> > > public class PadroesSession implements Serializable{
> >
> > > private static PadroesSession padroesSession=null;
> >
> > > public static PadroesSession getInstance(){
> > > if(padroesSession == null){
> > > padroesSession = new PadroesSession();
> > > return padroesSession;
> > > } else {
> > > return padroesSession;
> > > }
> > > }
> >
> > > private PadroesSession(){
> >
> > > }
> >
> > > private static final String USER_SESSION = "userSession";
> > > private HttpServletRequest request = null;
> > > private HttpSession session = null;
> >
> > > public PersonDTO getUser(){
> >
> > > if(null == session) return null;
> >
> > > return session.getAttribute(USER_SESSION) != null ?
> > > (PersonDTO)session.getAttribute(USER_SESSION) : null;
> >
> > > }
> >
> > > public HttpSession getSession(){
> > > return session;
> > > }
> >
> > > public void invalidate(){
> > > if(request!=null)
> > > if(request.getSession(false)!= null)
> > > request.getSession(false).invalidate();
> > > if(null != session){
> > > session.invalidate();
> > > session = null;
> > > }
> >
> > > }
> >
> > > public void setUser(PersonDTO user){
> > > if(null == user){
> > > if(session!=null) session.removeAttribute(USER_SESSION);
> > > return;
> > > }
> >
> > > if(null != request)
> > > this.session = request.getSession(true);
> >
> > > if(session!=null) session.setAttribute(USER_SESSION, user);
> > > }
> >
> > > public String getId(){
> > > return request.getSession(false).getId();
> > > }
> >
> > > public HttpServletRequest getRequest() {
> > > return request;
> > > }
> >
> > > public void setRequest(HttpServletRequest request) {
> > > this.request = request;
> >
> > > }
> >
> > > }
> >
> > > On Thu, Jun 3, 2010 at 2:45 PM, Magnus >wrote:
> >
> > >> Hi,
> >
> > >> thank you for the code! I adopted it to my application.
> >
> > >> So you authenticate the user via the remote service! But how do you
> > >> actually store the user context the app is running in? Do you do some
> > >> session management?
> >
> > >> Thanks
> > >> Magnus
> >
> > >> On Jun 2, 7:15 pm, Bruno Lopes
> wrote:
> > >> > Hi Alpine Bluster,
> >
> > >> > look at this code:
> >
> > >> > public void onModuleLoad() {
> >
> > >> > this.setLoginPanel();
> >
> > >> > loginButton = new Button("Login");
> >
> > >> > loginButton.addListener(new ButtonListenerAdapter() {
> >
> > >> > public void onClick(Button button, EventObject e) {
> >
> > >> > userAuthentication();
> >
> > >> > }
> > >> > });
> >
> > >> > formPanel.addButton(loginButton);
> >
> > >> > formPanel.setBorder(false);
> >
> > >> > loginPanel.add(formPanel);
> >
> > >> > Element appPanelEl = loginPanel.getElement();
> >
> > >> > @SuppressWarnings("unused")
> >
> > >> > KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() {
> >
> > >> > {
> >
> > >> > setKey(EventObject.ENTER);
> >
> > >> > setKeyListener(new KeyListener() {
> >
> > >> > public void onKey(int key, EventObject e) {
> >
> > >> > loginButton.focus();
> >
> > >> > }
> > >> > });
> > >> > }
> > >> > });
> >
> > >> > RootPanel.get("login_widget").add(loginPanel);
> >
> > >> > }
> >
> > >> > private void userAuthentication() {
> >
> > >> > if
Re: login/logout/remember
To me it seems there is a problem with your approach. It looks like
PadroesSession is a singleton class per entire server application, and
it holds only one request and session a time, while in a multi-client
application you will have a session for each client connection. This
means that:
- if user1 is logged in
- then user2 tries to log in
- for user 2 you want to see if a user is already logged in; you check
PadroesSession.getUser and see it returns a value (which is in fact
user1) and then you allow user2 directly into the application
So I think that per server application you should work with a list of
sessions, not just a single instance.
On Jun 16, 11:32 am, Bruno Lopes
wrote:
> An serializable object from the persistence side.
>
> On Wed, Jun 16, 2010 at 6:46 AM, Magnus wrote:
>
> > What's PersonDTO?
>
> > Magnus
>
> > On 3 Jun., 22:36, Bruno Lopes wrote:
> > > Then on the server side for the LoginService
>
> > > public LoginResponse login(String username, String password) {
> > > LoginPService loginService = ServiceLocator.getLoginService();
> > > PersonDTO personDTO = null;
>
> > > try {
>
> > > personDTO = loginService.getUserByUsername(username);
>
> > > if (personDTO == null){
> > > //.getInstance().info("Utilizador n√£o encontrado:
> > "+username);
> > > return new LoginResponse(false, false);
> > > } else if (!loginService.checkPassword(password)){
> > > //UCCLogger.getInstance().info("Password errada do
> > utilizador:
> > > "+username);
> > > return new LoginResponse(false, false);
> > > }
>
> > > } catch (Throwable e) {
> > > return new LoginResponse(false, false);
> > > }
>
> > > LoginResponse response = new LoginResponse();
> > > response.setLoginSuccess(true);
>
> > > PadroesSession padroesSession = PadroesSession.getInstance();
> > > padroesSession.setRequest(getThreadLocalRequest());
>
> > > padroesSession.setUser(personDTO);
> > > return response;
> > > }
>
> > > On Thu, Jun 3, 2010 at 9:33 PM, Bruno Lopes
> > > wrote:
>
> > > > YES
> > > > on the server side I have something like this:
>
> > > > public class PadroesSession implements Serializable{
>
> > > > private static PadroesSession padroesSession=null;
>
> > > > public static PadroesSession getInstance(){
> > > > if(padroesSession == null){
> > > > padroesSession = new PadroesSession();
> > > > return padroesSession;
> > > > } else {
> > > > return padroesSession;
> > > > }
> > > > }
>
> > > > private PadroesSession(){
>
> > > > }
>
> > > > private static final String USER_SESSION = "userSession";
> > > > private HttpServletRequest request = null;
> > > > private HttpSession session = null;
>
> > > > public PersonDTO getUser(){
>
> > > > if(null == session) return null;
>
> > > > return session.getAttribute(USER_SESSION) != null ?
> > > > (PersonDTO)session.getAttribute(USER_SESSION) : null;
>
> > > > }
>
> > > > public HttpSession getSession(){
> > > > return session;
> > > > }
>
> > > > public void invalidate(){
> > > > if(request!=null)
> > > > if(request.getSession(false)!= null)
> > > > request.getSession(false).invalidate();
> > > > if(null != session){
> > > > session.invalidate();
> > > > session = null;
> > > > }
>
> > > > }
>
> > > > public void setUser(PersonDTO user){
> > > > if(null == user){
> > > > if(session!=null) session.removeAttribute(USER_SESSION);
> > > > return;
> > > > }
>
> > > > if(null != request)
> > > > this.session = request.getSession(true);
>
> > > > if(session!=null) session.setAttribute(USER_SESSION, user);
> > > > }
>
> > > > public String getId(){
> > > > return request.getSession(false).getId();
> > > > }
>
> > > > public HttpServletRequest getRequest() {
> > > > return request;
> > > > }
>
> > > > public void setRequest(HttpServletRequest request) {
> > > > this.request = request;
>
> > > > }
>
> > > > }
>
> > > > On Thu, Jun 3, 2010 at 2:45 PM, Magnus > >wrote:
>
> > > >> Hi,
>
> > > >> thank you for the code! I adopted it to my application.
>
> > > >> So you authenticate the user via the remote service! But how do you
> > > >> actually store the user context the app is running in? Do you do some
> > > >> session management?
>
> > > >> Thanks
> > > >> Magnus
>
> > > >> On Jun 2, 7:15 pm, Bruno Lopes
> > wrote:
> > > >> > Hi Alpine Bluster,
>
> > > >> > look at this code:
>
> > > >> > public void onModuleLoad() {
>
> > > >> > this.setLoginPanel();
>
> > > >> > loginButton = new Button("Login");
>
> > > >> > loginButton.addListener(new ButtonListenerAdapter(
GWT Login/ Logout/ Remember Me (with concern in preventing Cross-Site Request Forgeries) Example
Does anyone have a good code example, on how to implement login/logout/ remember me feature, using GWT, with concern on Cross-Site Request Forgeries. My plan is to use HttpOnly : http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html However, I am not sure whether that will be sufficient enough. Thanks. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: GWT Login/ Logout/ Remember Me (with concern in preventing Cross-Site Request Forgeries) Example
GWT (client side) has nothing to do with HttpOnly cookies because the browser can not read them using javascript. You have to face it in the server side, sending a cookie from your servlet to the browser with the HttpOnly attribute set, the browser will remember it, and the next time it loads the GWT application it has to ask the server via RPC to know if the user has the appropriate cookies, if not you have to show the login screen. -Manolo On Wed, Apr 7, 2010 at 8:17 PM, yccheok wrote: > Does anyone have a good code example, on how to implement login/logout/ > remember me feature, using GWT, with concern on Cross-Site Request > Forgeries. > > My plan is to use HttpOnly : > http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html > > However, I am not sure whether that will be sufficient enough. > > Thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-tool...@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: GWT Login/ Logout/ Remember Me (with concern in preventing Cross-Site Request Forgeries) Example
For general ideas on how to implement remember me, the thread you started on stackoverflow<http://stackoverflow.com/questions/2594960/best-pratice-to-implement-secure-remember-me>should get you answers. I will try to answer the GWT specific things you should be doing over here. If you haven't already, please read http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications. Its a bit dated, and will perhaps take you a while to go through it, but it is definitely worth reading if you are concerned about security. Once you have implemented remember-me, it is important that your website doesn't have XSS (cross site scripting) or CSRF (cross site request forgery) loopholes. Additionally, you must use a SSL certificate (https) to protect the cookie from a man-in-the-middle attack. Some suggestions for XSS and CSRF from a GWT perspective - *Cross Site Scripting* - Within GWT code, be wary of innerHTML() and eval() methods. Make sure that whatever string you pass to these methods is trusted. If its not trusted, you'd have to escape the strings<http://www.530geeks.com/encode.jsp>appropriately. GWT takes care of things everywhere else. - If you are using JSNI, make sure you don't insert untrusted content into the dom. Same as above, use escaping if the strings are not trusted. - If you use an external javascript library, make sure it doesn't have loopholes. - Finally, if you use a jsp/servlet to generate the html, make sure that it doesn't echo input parameters without first escaping them. *Cross Site Request Forgery* - If you use GWT RPC (whether the legacy one or the new deRPC), you are already protected. GWT sets custom request headers before making a RPC call. It also uses post with a custom content type. These cannot be forged using a script/image/iframe/form from another domain. - If you use RequestBuilder to download JSON / XML, then you are on your own. Follow the best practices laid down by OWASP<http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet>. GWTs security notes<http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications>also has notes on how to protect against csrf. --Sri On 8 April 2010 02:36, Manuel Carrasco Moñino wrote: > GWT (client side) has nothing to do with HttpOnly cookies because the > browser can not read them using javascript. > > You have to face it in the server side, sending a cookie from your > servlet to the browser with the HttpOnly attribute set, the browser > will remember it, and the next time it loads the GWT application it > has to ask the server via RPC to know if the user has the appropriate > cookies, if not you have to show the login screen. > > -Manolo > > On Wed, Apr 7, 2010 at 8:17 PM, yccheok wrote: > > Does anyone have a good code example, on how to implement login/logout/ > > remember me feature, using GWT, with concern on Cross-Site Request > > Forgeries. > > > > My plan is to use HttpOnly : > http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html > > > > However, I am not sure whether that will be sufficient enough. > > > > Thanks. > > > > -- > > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > > To post to this group, send email to google-web-toolkit@googlegroups.com > . > > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com > . > > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-tool...@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com > . > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: GWT Login/ Logout/ Remember Me (with concern in preventing Cross-Site Request Forgeries) Example
I suggest using container managed security so that you don't have to deal with most of this. I have implemented a GWT-based form login, but it required some hackery because of the way tomcat/glassfish handle redirecting for form login using request dispatching, therefore causing your moduleBaseUrl to be off and not being able to load any of the successive resource files. I was able to work around this using a jsp to do a meta redirect so that the browser would go to the real url. On Apr 7, 3:57 pm, Sripathi Krishnan wrote: > For general ideas on how to implement remember me, the thread you started on > stackoverflow<http://stackoverflow.com/questions/2594960/best-pratice-to-implement-...>should > get you answers. I will try to answer the GWT specific things you > should be doing over here. > > If you haven't already, please > readhttp://groups.google.com/group/Google-Web-Toolkit/web/security-for-gw > Its a bit dated, and will perhaps take you a while to go through it, but it > is definitely worth reading if you are concerned about security. > > Once you have implemented remember-me, it is important that your website > doesn't have XSS (cross site scripting) or CSRF (cross site request forgery) > loopholes. Additionally, you must use a SSL certificate (https) to protect > the cookie from a man-in-the-middle attack. > > Some suggestions for XSS and CSRF from a GWT perspective - > > *Cross Site Scripting* > > - Within GWT code, be wary of innerHTML() and eval() methods. Make sure > that whatever string you pass to these methods is trusted. If its not > trusted, you'd have to escape the > strings<http://www.530geeks.com/encode.jsp>appropriately. GWT takes > care of things everywhere else. > - If you are using JSNI, make sure you don't insert untrusted content > into the dom. Same as above, use escaping if the strings are not trusted. > - If you use an external javascript library, make sure it doesn't have > loopholes. > - Finally, if you use a jsp/servlet to generate the html, make sure that > it doesn't echo input parameters without first escaping them. > > *Cross Site Request Forgery* > > - If you use GWT RPC (whether the legacy one or the new deRPC), you are > already protected. GWT sets custom request headers before making a RPC > call. > It also uses post with a custom content type. These cannot be forged using > a > script/image/iframe/form from another domain. > - If you use RequestBuilder to download JSON / XML, then you are on your > own. Follow the best practices laid down by > OWASP<http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_...>. > GWTs security > notes<http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gw...>also > has notes on how to protect against csrf. > > --Sri > > On 8 April 2010 02:36, Manuel Carrasco Moñino wrote: > > > GWT (client side) has nothing to do with HttpOnly cookies because the > > browser can not read them using javascript. > > > You have to face it in the server side, sending a cookie from your > > servlet to the browser with the HttpOnly attribute set, the browser > > will remember it, and the next time it loads the GWT application it > > has to ask the server via RPC to know if the user has the appropriate > > cookies, if not you have to show the login screen. > > > -Manolo > > > On Wed, Apr 7, 2010 at 8:17 PM, yccheok wrote: > > > Does anyone have a good code example, on how to implement login/logout/ > > > remember me feature, using GWT, with concern on Cross-Site Request > > > Forgeries. > > > > My plan is to use HttpOnly : > >http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-http... > > > > However, I am not sure whether that will be sufficient enough. > > > > Thanks. > > > > -- > > > You received this message because you are subscribed to the Google Groups > > "Google Web Toolkit" group. > > > To post to this group, send email to google-web-toolkit@googlegroups.com > > . > > > To unsubscribe from this group, send email to > > google-web-toolkit+unsubscr...@googlegroups.com > > . > > > For more options, visit this group at > >http://groups.google.com/group/google-web-toolkit?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google Web Toolkit" group. > > To post to this group, send email to google-web-tool...@googlegroups.com. > > To unsubscribe from this group, send email to > > google-web-toolkit+unsubscr...@googlegroups.com > > . > > For more options, visit this group at > >http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
