Re: Using Filters
Anyone have any idea about this or know where I can look/read to find out more? I'm totally at a loss here. It looks like there are a bunch of interesting methods for the ServletRequest class but HttpServletRequest doesn't have much I can do with it. On Jun 10, 3:31 pm, eags eagsala...@gmail.com wrote: I'd like to use Filter to implement all my security checks as a gateway to each gwt rpc call. I'm going to include a sessionID from the client as an argument to each RPC call. I'd like my filter in doFilter to be able to pull off that argument and check if the user is logged in and see what their role is. In the example's I've seen, when implementing the doFilter() method it isn't clear how I can get that argument off the request. I looked at the methods for HttpServletRequest and didn't say anything useful. Also, once I have the request I'd like to be able to check if the role is appropriate for the method being invoked but it isn't clear to me how I can do this either without having groups of methods for each role and a specific filter that checks the specific role for each group. Maybe not a bad idea I guess. I've seen other slicker stuff using annotations that maybe the Filter could access the value of to compare the user's role with the annotated required role for the called method? Any info would be good here. In either case I would just throw an AuthenticationException right there and let the client handle it in the AsyncCallback's onFail(). Thanks for any help. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: LoginSecurityFAQ and sessionID/tokens
I found one discussion with the author of the LoginSecurityFAQ where they ask this exact question and he does state that using a random sessionID other than the one automatically included in the http header generated by the servlet is best. (http://groups.google.com/group/ Google-Web-Toolkit/browse_thread/thread/ 208f0144bc686114/842ba54ffa4f9265?lnk=gstq=user+authentication+login +sessions#842ba54ffa4f9265) As for how to generate the token I'm thinking: String sessionID = UUID.randomUUID().toString(); Any feedback is great as I'm really new to this stuff. Thanks. On Jun 10, 10:14 am, eags eagsala...@gmail.com wrote: I am implementing user logins and authentication using the model presented in the login security FAQ. In particular I plan on manually maintaining a table of {sessionID,User,timeout} values for each active session and not using the normal servlet session functionality. So, my question is, where do I get the ID that is returned to the client? I know that I can get one from the servlet session using HttpServletRequest.getSession().getid() but it seems like I could just use any randomly generated key right? And maybe I if face should not use that technique because that sessionID is also in the header where it can be easily snooped right? So, what is a good technique for generating the sessionID? To avoid duplicates I would just check the sessionID table before returning the sessionID to the client and if it is already in use I just call generateSessionID() again. So my question is what should getSessionID() look like? I realize the recommended approach in the LoginSecurityFAQ is controversial and I've already read all that debate so I'm not really interested in more of that. I just need specific help regarding these questions assuming I am doing what is recommended in the FAQ. Thanks in advance for any help. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: LoginSecurityFAQ and sessionID/tokens
LoginSecurityFAQ is here BTW (http://code.google.com/p/google-web- toolkit-incubator/wiki/LoginSecurityFAQ) On Jun 10, 12:28 pm, eags eagsala...@gmail.com wrote: I found one discussion with the author of the LoginSecurityFAQ where they ask this exact question and he does state that using a random sessionID other than the one automatically included in the http header generated by the servlet is best. (http://groups.google.com/group/ Google-Web-Toolkit/browse_thread/thread/ 208f0144bc686114/842ba54ffa4f9265?lnk=gstq=user+authentication+login +sessions#842ba54ffa4f9265) As for how to generate the token I'm thinking: String sessionID = UUID.randomUUID().toString(); Any feedback is great as I'm really new to this stuff. Thanks. On Jun 10, 10:14 am, eags eagsala...@gmail.com wrote: I am implementing user logins and authentication using the model presented in the login security FAQ. In particular I plan on manually maintaining a table of {sessionID,User,timeout} values for each active session and not using the normal servlet session functionality. So, my question is, where do I get the ID that is returned to the client? I know that I can get one from the servlet session using HttpServletRequest.getSession().getid() but it seems like I could just use any randomly generated key right? And maybe I if face should not use that technique because that sessionID is also in the header where it can be easily snooped right? So, what is a good technique for generating the sessionID? To avoid duplicates I would just check the sessionID table before returning the sessionID to the client and if it is already in use I just call generateSessionID() again. So my question is what should getSessionID() look like? I realize the recommended approach in the LoginSecurityFAQ is controversial and I've already read all that debate so I'm not really interested in more of that. I just need specific help regarding these questions assuming I am doing what is recommended in the FAQ. Thanks in advance for any help. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Using Filters
I'd like to use Filter to implement all my security checks as a gateway to each gwt rpc call. I'm going to include a sessionID from the client as an argument to each RPC call. I'd like my filter in doFilter to be able to pull off that argument and check if the user is logged in and see what their role is. In the example's I've seen, when implementing the doFilter() method it isn't clear how I can get that argument off the request. I looked at the methods for HttpServletRequest and didn't say anything useful. Also, once I have the request I'd like to be able to check if the role is appropriate for the method being invoked but it isn't clear to me how I can do this either without having groups of methods for each role and a specific filter that checks the specific role for each group. Maybe not a bad idea I guess. I've seen other slicker stuff using annotations that maybe the Filter could access the value of to compare the user's role with the annotated required role for the called method? Any info would be good here. In either case I would just throw an AuthenticationException right there and let the client handle it in the AsyncCallback's onFail(). Thanks for any help. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Very basic LoginSecurityFAQ and GWT-RPC questions
So I read the LoginSecurityFAQ (http://code.google.com/p/google-web- toolkit-incubator/wiki/LoginSecurityFAQ) and I plan on implementing logins exactly as in the FAQ. At a high level I believe I get it but need help on the specifics so please be as detailed and specific as possible in your responses. A link to an actual implementation of the LoginSecurityFAQ's method would be ideal. So here is my notion of what I need to do with some questions about details: 1. I'm planning on using the google app engine's JDO implementation to store all data. For each User object I intend to store the userID and the jBCrypt hash of the password along with whatever other user data in the same object. When a new user registers, I'll create a new User object and store it. 2. When a user tries to log in the server uses the username to fetch the User object and the associated hash to check if the supplied password is validated by the hash. Here is where I get confused and am not sure but here is my best notion of what I should do: I return a sessionID to the client. I have seen people mention in other posts that a sessionID can be fetched by doing: getThreadLocalRequest().getSession(); on the server. (Also do I want to return the HttpSession or the use getSession.getID()???) Or can I use any random number?? (sounds wrong). However I generate it, Is this session ID something I need to store using JDO along with the username and a timeout value so that I can subsequently validate that the session exists and is still active? Or is the session and sessionID something that just exists on the server and I just need to get a reference to? Either way I'm still fuzzy on details. If I do store {username,sessionID,timeout} in a DB, do I then need to periodically clear stuff out of there?? If they explicitly log out I can see removing the object but if they just close their browser it would just grow and grow right? I guess if don't duplicate usernames when adding new sessionID at worst this table would contain all my users all the time and have a bunch of timed out sessions. Also, How do I invalidate a session ID right when they close their browser? I guess I could first check for the existing session ID and if the timeout indicates it shouldn't persist over browser restarts or page closing then I can compare to getThreadLocalRequest().getSession () and see if they are the same (will subsequent calls result in the same sessionID iff the browser window hasn't been closed)?? Also how do I know there are no duplicate sessionIDs handed out over time where more than one might be active at once (if I wanted to allow users to stay logged in perpetually?). I'm trying to answer some of my own questions but I'm very fuzzy here. If I don't store {username,sessionID,timeout} in a DB (and always just use getSession().getID() to compare what the client sends me), how then can sessions remain active for weeks even across closed browsers, etc (assuming I do the thing where I store the sessionID in a cookie and retrieve and try it before trying a new login). Also, I never saw any mention of sending the username along with the sessionID. Is that right? Anyway, moving on to more confusion: The FAQ mentions specifically that the sessionID should be included in the *payload* of every subsequent RPC request. Does payload just mean an additional argument in the interface methods in the service like (from the GWT StockWatcher tutorial): StockPrice[] getPrices(String[] symbols,String sessionID) throws DelistedException; Or are we talking about some other way to pass this to the server? OK. Now on to a couple related GWT RPC questions. So I have a few things the server will be handling for me, for example: String sessionID login(username,password); String sessionID register(username,password); bool isLoggedIn(String sessionID); void logout(String sessionID); // requires sessionID or no? I guess not really needed and doSomeAdminThing(Object data, String sessionID); doSomeUserThing(Object data, String sessionID); doSomeThing(Object data); Do people typically group related functions (like login,register,logout) into a single RemoteService interface? Or each function its own service? Or all functions for a given app grouped in one big service (maybe required for session somehow?) Last question is regarding authentication. Using the three doSome*() methods I describe above, the idea here is that there are different things available to different users and I'm thinking I entirely regulate that on the server side and would just have a line of code that checks something like if( User.getUserType() != User.type.ADMIN) throw something at the beginning of each service method. Does that seem right? That's it! Feel free to mention anything I didn't ask about but am obviously missing or should know. As you can see I'm definitely just learning here and need lots of help. Thanks very much in advance for all help.
HELLO MODERATOR
Hi. I posted a comment last night starting a new thread called Very basic LoginSecurityFAQ and GWT-RPC questions. I guess because of the moderation it wasn't actually posted until about a half an hour ago but the timestamp on it still is for last night which means that it is buried in last nights conversations and no one is seeing it. So I have two questions: 1. Should I repost? Or is it possible for you to reset the timestamp so it gets seen? 2. How do I become a regular user and not get moderated anymore? Is it a certain number of posts? Or is it a certain average rating on my posts? Thanks. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: Very basic LoginSecurityFAQ and GWT-RPC questions
Someone I talked to in person (who otherwise didn't know about GWT RPC) suggested I also store the role as in {username,sessionID,timeout,role} so that I don't have to fetch and otherwise mess with the user object every request. Does that seem sane? I suppose I could also store a reference to the User object since that is likely to get referenced pretty regularly. Any issues with that scheme? (again assuming that storing the sessionID manually is what I'm supposed to do at all). On Jun 8, 11:27 pm, eags eagsala...@gmail.com wrote: So I read the LoginSecurityFAQ (http://code.google.com/p/google-web- toolkit-incubator/wiki/LoginSecurityFAQ) and I plan on implementing logins exactly as in the FAQ. At a high level I believe I get it but need help on the specifics so please be as detailed and specific as possible in your responses. A link to an actual implementation of the LoginSecurityFAQ's method would be ideal. So here is my notion of what I need to do with some questions about details: 1. I'm planning on using the google app engine's JDO implementation to store all data. For each User object I intend to store the userID and the jBCrypt hash of the password along with whatever other user data in the same object. When a new user registers, I'll create a new User object and store it. 2. When a user tries to log in the server uses the username to fetch the User object and the associated hash to check if the supplied password is validated by the hash. Here is where I get confused and am not sure but here is my best notion of what I should do: I return a sessionID to the client. I have seen people mention in other posts that a sessionID can be fetched by doing: getThreadLocalRequest().getSession(); on the server. (Also do I want to return the HttpSession or the use getSession.getID()???) Or can I use any random number?? (sounds wrong). However I generate it, Is this session ID something I need to store using JDO along with the username and a timeout value so that I can subsequently validate that the session exists and is still active? Or is the session and sessionID something that just exists on the server and I just need to get a reference to? Either way I'm still fuzzy on details. If I do store {username,sessionID,timeout} in a DB, do I then need to periodically clear stuff out of there?? If they explicitly log out I can see removing the object but if they just close their browser it would just grow and grow right? I guess if don't duplicate usernames when adding new sessionID at worst this table would contain all my users all the time and have a bunch of timed out sessions. Also, How do I invalidate a session ID right when they close their browser? I guess I could first check for the existing session ID and if the timeout indicates it shouldn't persist over browser restarts or page closing then I can compare to getThreadLocalRequest().getSession () and see if they are the same (will subsequent calls result in the same sessionID iff the browser window hasn't been closed)?? Also how do I know there are no duplicate sessionIDs handed out over time where more than one might be active at once (if I wanted to allow users to stay logged in perpetually?). I'm trying to answer some of my own questions but I'm very fuzzy here. If I don't store {username,sessionID,timeout} in a DB (and always just use getSession().getID() to compare what the client sends me), how then can sessions remain active for weeks even across closed browsers, etc (assuming I do the thing where I store the sessionID in a cookie and retrieve and try it before trying a new login). Also, I never saw any mention of sending the username along with the sessionID. Is that right? Anyway, moving on to more confusion: The FAQ mentions specifically that the sessionID should be included in the *payload* of every subsequent RPC request. Does payload just mean an additional argument in the interface methods in the service like (from the GWT StockWatcher tutorial): StockPrice[] getPrices(String[] symbols,String sessionID) throws DelistedException; Or are we talking about some other way to pass this to the server? OK. Now on to a couple related GWT RPC questions. So I have a few things the server will be handling for me, for example: String sessionID login(username,password); String sessionID register(username,password); bool isLoggedIn(String sessionID); void logout(String sessionID); // requires sessionID or no? I guess not really needed and doSomeAdminThing(Object data, String sessionID); doSomeUserThing(Object data, String sessionID); doSomeThing(Object data); Do people typically group related functions (like login,register,logout) into a single RemoteService interface? Or each function its own service? Or all functions for a given app grouped in one big service (maybe required for session somehow?) Last question is regarding