Re: Dealing with session timeout and container managed security
What do you mean by server push? Could you maybe elaborate on your approach a little, thanks. On Mar 6, 5:11 pm, Rakesh rake...@gmail.com wrote: we use server push for session time out and it works really great! On Feb 28, 1:26 am, marcelstoer mar...@frightanic.com wrote: Is there some consensus or best practice in the GWT community as for how to deal with session timeout and container managed security? There are some pointers if you search for this subject, but some of the ideas are wild... In my case I use the Servlet container's built in security features for authentication as described in the Servlet specification. Hence, in my web.xm I protect access to the GWT application like so: security-constraint web-resource-collection web-resource-namemy app/web-resource-name url-pattern/app/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/public/login.jsp/form-login-page form-error-page/public/login.jsp?retry=true/form-error-page /form-login-config /login-config security-role role-name*/role-name /security-role So, the application (host/bootstrap page, RPC Servlet, etc.) is in the app folder and the login form (login.jsp) is in the public folder. This works flawlessly except for the session timeout use case. The application sends an RPC request to /app/AppServlet, the Servlet container requires authentication because the session had timed out and dutifully *forwards* to the login page. Hence, the result of the request is not some RPC/JSON/XML object as expected by the client but the login page HTML structure. The client simply isn't prepared for that and freezes i.e. doesn't do anything. I believe that on the server side everything is set up correctly. If the session timed out the requests don't even reach the RPC Servlet because it's intercepted by the container, fine. But how do you deal with this in the client? Should one write some custom AsyncCallback class that handles the reponse sent by the container? Thanks for your feedback. Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: Password Encryption
com.project.client.User implements java.io..Serializable
plus the default constructor
public User() {}
Done.
On Mar 6, 12:14 am, fatjack1...@googlemail.com
fatjack1...@googlemail.com wrote:
I am using GWT 1.5.3. How do I use Serializable? Eclipse produces an
error when I try to implement Serializable. It says I need to either:
1. import java.io.Serializable
2. import sunw.io.Serializable;
3. Create a public interface Serializable
Which is the right one to use?
On Mar 5, 10:59 pm, Daniel Jue teamp...@gmail.com wrote:
What version of GWT are you using? Have you tried
public class User implements Serializable{...}
instead?
On Thu, Mar 5, 2009 at 5:01 PM, fatjack1...@googlemail.com
fatjack1...@googlemail.com wrote:
Hi Everyone,
Im having some issues encrypting a password. So heres my problem:
Basically I have a simple user name and password dialog box. I need to
encrypt the password. It would be easy to implement if I just wanted
to send the password over to the Server, but I need to send both the
user name and password. So, to try and overcome this problem I have
created a User Class as follows:
package com.project.client;
import com.google.gwt.user.client.rpc.IsSerializable;
public class User implements IsSerializable{
private String username;
private String password;
public User(String username, String password){
this.username = username;
this.password = password;
}
public String getUserName(){
return username;
}
public String getPassword(){
return password;
}
}
Here is my code on the client side when the user clicks 'Login'
public void onClick(Widget sender)
{
User attemptedLogin = new
User(userNameTextBox.getText(),
passwordTextBox.getText());
ServerService rpc = new ServerService();
rpc.checkLogin(attemptedLogin, callback);
}
So, it should send over the userName and Password to the server via an
RPC call.
Here is my code on the server (Incomplete at moment):
public ServerSQLData checkLogin(User message)
{
try {
dc.openConnection();
String password = message.getPassword();
System.out.println(password: + password);
String hash = BCrypt.hashpw(password,
BCrypt.gensalt());
}
return result;
}
However, when I run GWT it produces the following error messages:
Analyzing 'com.project.client.ServerStatusSQLService' for serializable
types
Analyzing methods:
public abstract com.project.client.ServerSQLData checkLogin
(com.project.client.User message)
Parameter: com.project.client.User message
com.project.client.User
Type 'com.project.client.User' was not serializable and
has no concrete serializable subtypes
I'm guessing from the error messages I havent implemented the
Serializable type correctly for the User class. Can someone see where
I am going wrong?
Cheers for your help in advance.
Jack
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---
Re: Dealing with session timeout and container managed security
Thanks for your feedback. I can see where your approach comes from given the mentioned scenario. However, I neither do want to check for proper i.e. still valid authentication in all of my RemoteServiceServlet methods nor would I want my GWT application tie to an authentication mechanism at all. I'd like one and the same GWT app to work in a secure environment and in a regular environment - without changing the code. Those were my reasons to go with the container-managed-security-approach. On Mar 5, 12:47 am, Jason Essington jason.essing...@gmail.com wrote: The problem with jumping ahead of the RemoteServiceServlet for your authentication is that you don't have a good way to communicate to GWT that there was an authentication exception. I tend to do my JAAS login inside the RemoteServiceServlet where I can throw a checked AuthenticationException which I can in turn handle gracefully on the client side. consider this scenario: User loads a rather large cash worksheet that he needs to fill, the user begins filling the worksheet, then takes a break, and returns to complete the worksheet. This user then submits the completed worksheet. Now, with the previously mentioned technique, the session is checked before the request is deserialized and the server notices that the session has expired, and throws an authentication exception. The client recieves that exception in the onFailure() method of the callback and takes appropriate action to have the user reauthenticate. once that process is successful, the client application can resubmit the original request, and the user has not lost any of his work. If you use the default form based the world just stops, the user is forced to reauthenticate outside the scope of the application, and his progress is lost. This really aggravates customers by the way. -jason On Mar 4, 2009, at 7:30 AM, marcelstoer wrote: Hhhmm, the community being quiet can mean a lot of things...none are really positive. Was I talking about some dark GWT corners where no stable/proper solutions exist? Or is there simply no right way to solve my problem, but rather many potential solutions that all have their flaws? On Feb 28, 8:26 am, marcelstoer mar...@frightanic.com wrote: Is there some consensus or best practice in the GWT community as for how to deal with session timeout and container managed security? There are some pointers if you search for this subject, but some of the ideas are wild... In my case I use the Servlet container's built in security features for authentication as described in the Servlet specification. Hence, in my web.xm I protect access to the GWT application like so: security-constraint web-resource-collection web-resource-namemy app/web-resource-name url-pattern/app/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/public/login.jsp/form-login-page form-error-page/public/login.jsp?retry=true/form-error-page /form-login-config /login-config security-role role-name*/role-name /security-role So, the application (host/bootstrap page, RPC Servlet, etc.) is in the app folder and the login form (login.jsp) is in the public folder. This works flawlessly except for the session timeout use case. The application sends an RPC request to /app/AppServlet, the Servlet container requires authentication because the session had timed out and dutifully *forwards* to the login page. Hence, the result of the request is not some RPC/JSON/XML object as expected by the client but the login page HTML structure. The client simply isn't prepared for that and freezes i.e. doesn't do anything. I believe that on the server side everything is set up correctly. If the session timed out the requests don't even reach the RPC Servlet because it's intercepted by the container, fine. But how do you deal with this in the client? Should one write some custom AsyncCallback class that handles the reponse sent by the container? Thanks for your feedback. Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: Dealing with session timeout and container managed security
Hhhmm, the community being quiet can mean a lot of things...none are really positive. Was I talking about some dark GWT corners where no stable/proper solutions exist? Or is there simply no right way to solve my problem, but rather many potential solutions that all have their flaws? On Feb 28, 8:26 am, marcelstoer mar...@frightanic.com wrote: Is there some consensus or best practice in the GWT community as for how to deal with session timeout and container managed security? There are some pointers if you search for this subject, but some of the ideas are wild... In my case I use the Servlet container's built in security features for authentication as described in the Servlet specification. Hence, in my web.xm I protect access to the GWT application like so: security-constraint web-resource-collection web-resource-namemy app/web-resource-name url-pattern/app/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/public/login.jsp/form-login-page form-error-page/public/login.jsp?retry=true/form-error-page /form-login-config /login-config security-role role-name*/role-name /security-role So, the application (host/bootstrap page, RPC Servlet, etc.) is in the app folder and the login form (login.jsp) is in the public folder. This works flawlessly except for the session timeout use case. The application sends an RPC request to /app/AppServlet, the Servlet container requires authentication because the session had timed out and dutifully *forwards* to the login page. Hence, the result of the request is not some RPC/JSON/XML object as expected by the client but the login page HTML structure. The client simply isn't prepared for that and freezes i.e. doesn't do anything. I believe that on the server side everything is set up correctly. If the session timed out the requests don't even reach the RPC Servlet because it's intercepted by the container, fine. But how do you deal with this in the client? Should one write some custom AsyncCallback class that handles the reponse sent by the container? Thanks for your feedback. Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Dealing with session timeout and container managed security
Is there some consensus or best practice in the GWT community as for how to deal with session timeout and container managed security? There are some pointers if you search for this subject, but some of the ideas are wild... In my case I use the Servlet container's built in security features for authentication as described in the Servlet specification. Hence, in my web.xm I protect access to the GWT application like so: security-constraint web-resource-collection web-resource-namemy app/web-resource-name url-pattern/app/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/public/login.jsp/form-login-page form-error-page/public/login.jsp?retry=true/form-error-page /form-login-config /login-config security-role role-name*/role-name /security-role So, the application (host/bootstrap page, RPC Servlet, etc.) is in the app folder and the login form (login.jsp) is in the public folder. This works flawlessly except for the session timeout use case. The application sends an RPC request to /app/AppServlet, the Servlet container requires authentication because the session had timed out and dutifully *forwards* to the login page. Hence, the result of the request is not some RPC/JSON/XML object as expected by the client but the login page HTML structure. The client simply isn't prepared for that and freezes i.e. doesn't do anything. I believe that on the server side everything is set up correctly. If the session timed out the requests don't even reach the RPC Servlet because it's intercepted by the container, fine. But how do you deal with this in the client? Should one write some custom AsyncCallback class that handles the reponse sent by the container? Thanks for your feedback. Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: JDBC realm for form-based authentication in hosted mode
On Feb 5, 2:22 am, Sumit Chandel sumitchan...@google.com wrote: Hello everyone, I'm not very familiar with JDBC realm, but for starters, are you using hosted mode with the -noserver option (i.e., running hosted mode with your own custom Tomcat server that has JDBC realm configured?). No, I'm running an out-of-the-box GWT embedded Tomcat. As described in my previous posting, the ROOT.xml gets picked up correctly and Tomcat considers the realm configuration i.e. it authenticates me against the database referred to in the realm config. However, the parent context element in ROOT.xml asks me to define a docBase parameter. No matter what path I enter there, in subsequent requests Tomcat/GWT shell has problems locating some of the artifacts in my project. Through Tomcat debugging I tried to find out what its internal docBase value is (maybe set through GWT shell?) if I don't add ROOT.xml but didn't succeed. Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Does the GWT compiler have problems with Generics?
My *Async interface contains the following method signature: void reportsAvailableFor(Class? extends AbstractRow rowClass, AsyncCallbackBoolean callback); The method signature in the application i.e. Servlet interface likewise looks like: Boolean reportsAvailableFor(Class? extends AbstractRow rowClass); The GWT shell complains at startup that: [ERROR] Type 'java.lang.Class? extends ch.netcetera.eveni.client.model.table.AbstractRow' was not serializable and has no concrete serializable subtypes At that point I thought that GWT had an issue with the Generics parameter. Hence, I removed the restrictive ? extends AbstractRow suffix from the Class type, but GWT still complains about: 'java.lang.Class' was not serializable and has no concrete serializable subtypes Now this is definitely bogus IMO as java.lang.ClassT clearly states implements java.io.Serializable - and yes, I'm using GWT 1.5.3. Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: Does the GWT compiler have problems with Generics?
Thanks for your quick reply.
On Feb 8, 5:37 pm, Damien Picard picard.dam...@gmail.com wrote:
Hi,
Your class has to implement the interface
com.google.gwt.user.client.rpc.IsSerializable and you have to add a
As of GWT 1.5 this is no longer required, implementing
java.io.Serializable is enough.
free-parameters constructor as is :
public class MyClass implements IsSerializable{
public MyClass(){
...
}
}
Maybe this default constructor misses ?
Yes, indeed. I totally forgot about the default constructor. Thanks
for pointing that out. java.lang.Class does have a no-args
constructor, but it's private.
I just whish the GWT compiler were a little more verbose or precise
about the problem.
Marcel
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---
Re: JDBC realm for form-based authentication in hosted mode
On Jan 30, 6:39 pm, marcelstoer mar...@frightanic.com wrote: How do you use a JDBC realm for form-based authentication in hosted mode? Hosted mode and form-based authentication work just fine, but our JDBC realm isn't picked up by Tomcat? I have the realm configured in /my_Eclipse_project/tomcat/conf/gwt/ localhost/ROOT.xml like so: Context path=/com.mycompany.MyModule docBase=... Realm className=org.apache.catalina.realm.JDBCRealm etc... / /Context I can confirm that the config is being picked up at startup. The problem is, that no matter what path I try for the docBase attribute there are always some artifacts that cannot be found. Any ideas? -Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
JDBC realm for form-based authentication in hosted mode
How do you use a JDBC realm for form-based authentication in hosted mode? Hosted mode and form-based authentication work just fine, but our JDBC realm isn't picked up by Tomcat? -Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
log4j in hosted mode swallows Spring and Hibernate statements
In http://groups.google.com/group/Google-Web-Toolkit/browse_thread/thread/1870ed6575c95f7b/dd6dc12a67feeb02?lnk=gstq=log4j+hosted+spring#dd6dc12a67feeb02 an issue was raised (but not solved apparently) that we're seeing here too. In hosted mode we're only seeing the log statements from our own GWT application, but we're missing the ones from Spring and Hibernate albeit the log4j config seems to be correct. It doesn't make a difference if I set the root logger to a debug level. Any ideas? Kind regards, Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: Client did not send nnn bytes as expected
On Dec 2, 10:13 am, Amit Kasher [EMAIL PROTECTED] wrote: Hi, Does anyone has any new insights about this issue? We've been investigating for over a year(!), and we seem to not be the only ones... http://tinyurl.com/5rqfp5 I was recently confronted with the very same exception but in a slightly different context. I implemented a Servlet listener that parsed the request before it was being forwarded through the filter chain to the GWT RPC Servlet. At the beginning I wasn't careful enough and tinkered with the request a bit too much, GWT doesn't like that. I now use the GWT RPC and RPCServletUtils classes to parse the request instead of doing it myself. HTH, Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Caching RPC calls with Servlet Filters
In thread http://groups.google.com/group/Google-Web-Toolkit/browse_thread/thread/7824fc19faeecc32/37e0c085d3c0ccfb?lnk=gstq=rpc+caching#37e0c085d3c0ccfb some of you already discussed certain aspects of RPC caching. I intend to implement caching using a Servlet Filter. However, before even getting to the difficult part I stumbled across an issue that troubles me: a sensible cache id. Usually in web app contexts you use the request path plus all the parameters to build a (unique) cache id. Hence, I tried to use the fully qualified name of the remote method being invoked. With GWT RPC calls the relevant information is hidden in the request content instead of parameters or attributes. The request content can only be read once from the respective input stream. The plan was to call final String payload = RPCServletUtils.readContentAsUtf8 (httpServletRequest, true); final RPCRequest rpcRequest = RPC.decodeRequest(payload, null, null); and to get the method from the request. This fails because the GWT RemoteServiceServlet also calls RPCServletUtils.readContentAsUtf8(httpServletRequest, true); which then fails because the call from my filter already loaded the request content. Any ideas around that? Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: Form submitted twice?
On Sep 29, 11:54 am, Thomas Broyer [EMAIL PROTECTED] wrote: On 28 sep, 21:26, marcelstoer [EMAIL PROTECTED] wrote: I used the code provided as an example inhttp://google-web-toolkit.googlecode.com/svn/javadoc/1.5/com/google/g... to build a form panel. However, the form seems to get submitted twice as the Window.alert(The text box must not be empty); is executed twice. Any ideas as for why this happens? Might be issue 1585:http://code.google.com/p/google-web-toolkit/issues/detail?id=1585 It's issue 1585, indeed. And comment 10 most certainly helped: http://code.google.com/p/google-web-toolkit/issues/detail?id=1585#c10. Thanks a bunch. Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Form submitted twice?
I used the code provided as an example in http://google-web-toolkit.googlecode.com/svn/javadoc/1.5/com/google/gwt/user/client/ui/FormPanel.html to build a form panel. However, the form seems to get submitted twice as the Window.alert(The text box must not be empty); is executed twice. Any ideas as for why this happens? Regards, Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Multi project setup i.e. dependent projects
What's the most sensible way to create a multi project setup? I'd have a parent project with two modules and a number of child projects dependent on the parent project. Each of those child projects also provides two modules which inherit from the respective parent module and extend/overwrite parts of it (at least different CSS and images). I'm developing in Eclipse. The fact that we're building our deliverables with Maven2 has only had a slight impact on the current project structure (only one project) and is irrelevant in this context I guess. I noticed that GWT has a problem in hosted mode if the child module has got CSS files with the same name as the CSS files in the respective parent module. The shell picks them up from the wrong public/style/css/folder. Any hints or pointers to articles on this issue? Thanks a bunch. Marcel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
