Re: Using Filters

[eags]

Anyone have any idea about this or know where I can look/read to find
out more?  I'm totally at a loss here.  It looks like there are a
bunch of interesting methods for the ServletRequest class but
HttpServletRequest doesn't have much I can do with it.

On Jun 10, 3:31 pm, eags eagsala...@gmail.com wrote:
 I'd like to use Filter to implement all my security checks as a
 gateway to each gwt rpc call.  I'm going to include a sessionID from
 the client as an argument to each RPC call.  I'd like my filter in
 doFilter to be able to pull off that argument and check if the user is
 logged in and see what their role is.

 In the example's I've seen, when implementing the doFilter() method it
 isn't clear how I can get that argument off the request.  I looked at
 the methods for HttpServletRequest and didn't say anything useful.

 Also, once I have the request I'd like to be able to check if the role
 is appropriate for the method being invoked but it isn't clear to me
 how I can do this either without having groups of methods for each
 role and a specific filter that checks the specific role for each
 group.  Maybe not a bad idea I guess.  I've seen other slicker stuff
 using annotations that maybe the Filter could access the value of to
 compare the user's role with the annotated required role for the
 called method?  Any info would be good here.

 In either case I would just throw an AuthenticationException right
 there and let the client handle it in the AsyncCallback's onFail().

 Thanks for any help.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: LoginSecurityFAQ and sessionID/tokens

[eags]

I found one discussion with the author of the LoginSecurityFAQ where
they ask this exact question and he does state that using a random
sessionID other than the one automatically included in the http header
generated by the servlet is best. (http://groups.google.com/group/
Google-Web-Toolkit/browse_thread/thread/
208f0144bc686114/842ba54ffa4f9265?lnk=gstq=user+authentication+login
+sessions#842ba54ffa4f9265)

As for how to generate the token I'm thinking:

String sessionID = UUID.randomUUID().toString();

Any feedback is great as I'm really new to this stuff.

Thanks.


On Jun 10, 10:14 am, eags eagsala...@gmail.com wrote:
 I am implementing user logins and authentication using the model
 presented in the login security FAQ.  In particular I plan on manually
 maintaining a table of {sessionID,User,timeout} values for each active
 session and not using the normal servlet session functionality.

 So, my question is, where do I get the ID that is returned to the
 client?  I know that I can get one from the servlet session using
 HttpServletRequest.getSession().getid() but it seems like I could just
 use any randomly generated key right?  And maybe I if face should not
 use that technique because that sessionID is also in the header where
 it can be easily snooped right?  So, what is a good technique for
 generating the sessionID?  To avoid duplicates I would just check the
 sessionID table before returning the sessionID to the client and if it
 is already in use I just call generateSessionID() again.  So my
 question is what should getSessionID() look like?

 I realize the recommended approach in the LoginSecurityFAQ is
 controversial and I've already read all that debate so I'm not really
 interested in more of that.  I just need specific help regarding these
 questions assuming I am doing what is recommended in the FAQ.

 Thanks in advance for any help.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: LoginSecurityFAQ and sessionID/tokens

[eags]

LoginSecurityFAQ is here BTW (http://code.google.com/p/google-web-
toolkit-incubator/wiki/LoginSecurityFAQ)

On Jun 10, 12:28 pm, eags eagsala...@gmail.com wrote:
 I found one discussion with the author of the LoginSecurityFAQ where
 they ask this exact question and he does state that using a random
 sessionID other than the one automatically included in the http header
 generated by the servlet is best. (http://groups.google.com/group/
 Google-Web-Toolkit/browse_thread/thread/
 208f0144bc686114/842ba54ffa4f9265?lnk=gstq=user+authentication+login
 +sessions#842ba54ffa4f9265)

 As for how to generate the token I'm thinking:

 String sessionID = UUID.randomUUID().toString();

 Any feedback is great as I'm really new to this stuff.

 Thanks.

 On Jun 10, 10:14 am, eags eagsala...@gmail.com wrote:

  I am implementing user logins and authentication using the model
  presented in the login security FAQ.  In particular I plan on manually
  maintaining a table of {sessionID,User,timeout} values for each active
  session and not using the normal servlet session functionality.

  So, my question is, where do I get the ID that is returned to the
  client?  I know that I can get one from the servlet session using
  HttpServletRequest.getSession().getid() but it seems like I could just
  use any randomly generated key right?  And maybe I if face should not
  use that technique because that sessionID is also in the header where
  it can be easily snooped right?  So, what is a good technique for
  generating the sessionID?  To avoid duplicates I would just check the
  sessionID table before returning the sessionID to the client and if it
  is already in use I just call generateSessionID() again.  So my
  question is what should getSessionID() look like?

  I realize the recommended approach in the LoginSecurityFAQ is
  controversial and I've already read all that debate so I'm not really
  interested in more of that.  I just need specific help regarding these
  questions assuming I am doing what is recommended in the FAQ.

  Thanks in advance for any help.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Using Filters

[eags]

I'd like to use Filter to implement all my security checks as a
gateway to each gwt rpc call.  I'm going to include a sessionID from
the client as an argument to each RPC call.  I'd like my filter in
doFilter to be able to pull off that argument and check if the user is
logged in and see what their role is.

In the example's I've seen, when implementing the doFilter() method it
isn't clear how I can get that argument off the request.  I looked at
the methods for HttpServletRequest and didn't say anything useful.

Also, once I have the request I'd like to be able to check if the role
is appropriate for the method being invoked but it isn't clear to me
how I can do this either without having groups of methods for each
role and a specific filter that checks the specific role for each
group.  Maybe not a bad idea I guess.  I've seen other slicker stuff
using annotations that maybe the Filter could access the value of to
compare the user's role with the annotated required role for the
called method?  Any info would be good here.

In either case I would just throw an AuthenticationException right
there and let the client handle it in the AsyncCallback's onFail().

Thanks for any help.


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Very basic LoginSecurityFAQ and GWT-RPC questions

[eags]

So I read the LoginSecurityFAQ (http://code.google.com/p/google-web-
toolkit-incubator/wiki/LoginSecurityFAQ) and I plan on implementing
logins exactly as in the FAQ.  At a high level I believe I get it but
need help on the specifics so please be as detailed and specific as
possible in your responses.  A link to an actual implementation of the
LoginSecurityFAQ's method would be ideal.

So here is my notion of what I need to do with some questions about
details:

1. I'm planning on using the google app engine's JDO implementation to
store all data.  For each User object I intend to store the userID and
the jBCrypt hash of the password along with whatever other user data
in the same object.  When a new user registers, I'll create a new User
object and store it.
2. When a user tries to log in the server uses the username to fetch
the User object and the associated hash to check if the supplied
password is validated by the hash.

Here is where I get confused and am not sure but here is my best
notion of what I should do:

I return a sessionID to the client.  I have seen people mention in
other posts that a sessionID can be fetched by doing:
getThreadLocalRequest().getSession(); on the server.  (Also do I want
to return the  HttpSession or the use getSession.getID()???) Or can I
use any random number?? (sounds wrong).  However I generate it, Is
this session ID something I need to store using JDO along with the
username and a timeout value so that I can subsequently validate that
the session exists and is still active?  Or is the session and
sessionID something that just exists on the server and I just need to
get a reference to?

Either way I'm still fuzzy on details.  If I do store
{username,sessionID,timeout} in a DB, do I then need to periodically
clear stuff out of there??  If they explicitly log out I can see
removing the object but if they just close their browser it would just
grow and grow right?  I guess if don't duplicate usernames when adding
new sessionID at worst this table would contain all my users all the
time and have a bunch of timed out sessions.

Also, How do I invalidate a session ID right when they close their
browser?  I guess I could first check for the existing session ID and
if the timeout indicates it shouldn't persist over browser restarts or
page closing then I can compare to getThreadLocalRequest().getSession
() and see if they are the same (will subsequent calls result in the
same sessionID iff the browser window hasn't been closed)??  Also how
do I know there are no duplicate sessionIDs handed out over time where
more than one might be active at once (if I wanted to allow users to
stay logged in perpetually?).  I'm trying to answer some of my own
questions but I'm very fuzzy here.

If I don't store {username,sessionID,timeout} in a DB (and always just
use getSession().getID() to compare what the client sends me), how
then can sessions remain active for weeks even across closed browsers,
etc (assuming I do the thing where I store the sessionID in a cookie
and retrieve and try it before trying a new login).

Also, I never saw any mention of sending the username along with the
sessionID.  Is that right?

Anyway, moving on to more confusion:

The FAQ mentions specifically that the sessionID should be included in
the *payload* of every subsequent RPC request.  Does payload just
mean an additional argument in the interface methods in the service
like (from the GWT StockWatcher tutorial):

StockPrice[] getPrices(String[] symbols,String sessionID) throws
DelistedException;

Or are we talking about some other way to pass this to the server?

OK.  Now on to a couple related GWT RPC questions.

So I have a few things the server will be handling for me, for
example:

String sessionID login(username,password);
String sessionID register(username,password);
bool isLoggedIn(String sessionID);
void logout(String sessionID); // requires sessionID or no?  I guess
not really needed

and

doSomeAdminThing(Object data, String sessionID);
doSomeUserThing(Object data, String sessionID);
doSomeThing(Object data);

Do people typically group related functions (like
login,register,logout) into a single RemoteService interface?  Or each
function its own service?  Or all functions for a given app grouped in
one big service (maybe required for session somehow?)

Last question is regarding authentication.  Using the three doSome*()
methods I describe above, the idea here is that there are different
things available to different users and I'm thinking I entirely
regulate that on the server side and would just have a line of code
that checks something like if( User.getUserType() != User.type.ADMIN)
throw something at the beginning of each service method.  Does that
seem right?

That's it!  Feel free to mention anything I didn't ask about but am
obviously missing or should know.  As you can see I'm definitely just
learning here and need lots of help.

Thanks very much in advance for all help.

HELLO MODERATOR

[eags]

Hi.  I posted a comment last night starting a new thread called Very
basic LoginSecurityFAQ and GWT-RPC questions.  I guess because of the
moderation it wasn't actually posted until about a half an hour ago
but the timestamp on it still is for last night which means that it is
buried in last nights conversations and no one is seeing it.

So I have two questions:

1. Should I repost?  Or is it possible for you to reset the timestamp
so it gets seen?
2. How do I become a regular user and not get moderated anymore?  Is
it a certain number of posts?  Or is it a certain average rating on my
posts?  Thanks.


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: Very basic LoginSecurityFAQ and GWT-RPC questions

[eags]

Someone I talked to in person (who otherwise didn't know about GWT
RPC) suggested I also store the role as in
{username,sessionID,timeout,role} so that I don't have to fetch and
otherwise mess with the user object every request.  Does that seem
sane?  I suppose I could also store a reference to the User object
since that is likely to get referenced pretty regularly.  Any issues
with that scheme? (again assuming that storing the sessionID manually
is what I'm supposed to do at all).

On Jun 8, 11:27 pm, eags eagsala...@gmail.com wrote:
 So I read the LoginSecurityFAQ (http://code.google.com/p/google-web-
 toolkit-incubator/wiki/LoginSecurityFAQ) and I plan on implementing
 logins exactly as in the FAQ.  At a high level I believe I get it but
 need help on the specifics so please be as detailed and specific as
 possible in your responses.  A link to an actual implementation of the
 LoginSecurityFAQ's method would be ideal.

 So here is my notion of what I need to do with some questions about
 details:

 1. I'm planning on using the google app engine's JDO implementation to
 store all data.  For each User object I intend to store the userID and
 the jBCrypt hash of the password along with whatever other user data
 in the same object.  When a new user registers, I'll create a new User
 object and store it.
 2. When a user tries to log in the server uses the username to fetch
 the User object and the associated hash to check if the supplied
 password is validated by the hash.

 Here is where I get confused and am not sure but here is my best
 notion of what I should do:

 I return a sessionID to the client.  I have seen people mention in
 other posts that a sessionID can be fetched by doing:
 getThreadLocalRequest().getSession(); on the server.  (Also do I want
 to return the  HttpSession or the use getSession.getID()???) Or can I
 use any random number?? (sounds wrong).  However I generate it, Is
 this session ID something I need to store using JDO along with the
 username and a timeout value so that I can subsequently validate that
 the session exists and is still active?  Or is the session and
 sessionID something that just exists on the server and I just need to
 get a reference to?

 Either way I'm still fuzzy on details.  If I do store
 {username,sessionID,timeout} in a DB, do I then need to periodically
 clear stuff out of there??  If they explicitly log out I can see
 removing the object but if they just close their browser it would just
 grow and grow right?  I guess if don't duplicate usernames when adding
 new sessionID at worst this table would contain all my users all the
 time and have a bunch of timed out sessions.

 Also, How do I invalidate a session ID right when they close their
 browser?  I guess I could first check for the existing session ID and
 if the timeout indicates it shouldn't persist over browser restarts or
 page closing then I can compare to getThreadLocalRequest().getSession
 () and see if they are the same (will subsequent calls result in the
 same sessionID iff the browser window hasn't been closed)??  Also how
 do I know there are no duplicate sessionIDs handed out over time where
 more than one might be active at once (if I wanted to allow users to
 stay logged in perpetually?).  I'm trying to answer some of my own
 questions but I'm very fuzzy here.

 If I don't store {username,sessionID,timeout} in a DB (and always just
 use getSession().getID() to compare what the client sends me), how
 then can sessions remain active for weeks even across closed browsers,
 etc (assuming I do the thing where I store the sessionID in a cookie
 and retrieve and try it before trying a new login).

 Also, I never saw any mention of sending the username along with the
 sessionID.  Is that right?

 Anyway, moving on to more confusion:

 The FAQ mentions specifically that the sessionID should be included in
 the *payload* of every subsequent RPC request.  Does payload just
 mean an additional argument in the interface methods in the service
 like (from the GWT StockWatcher tutorial):

         StockPrice[] getPrices(String[] symbols,String sessionID) throws
 DelistedException;

 Or are we talking about some other way to pass this to the server?

 OK.  Now on to a couple related GWT RPC questions.

 So I have a few things the server will be handling for me, for
 example:

 String sessionID login(username,password);
 String sessionID register(username,password);
 bool isLoggedIn(String sessionID);
 void logout(String sessionID); // requires sessionID or no?  I guess
 not really needed

 and

 doSomeAdminThing(Object data, String sessionID);
 doSomeUserThing(Object data, String sessionID);
 doSomeThing(Object data);

 Do people typically group related functions (like
 login,register,logout) into a single RemoteService interface?  Or each
 function its own service?  Or all functions for a given app grouped in
 one big service (maybe required for session somehow?)

 Last question is regarding