Re: login/logout/remember
To me it seems there is a problem with your approach. It looks like PadroesSession is a singleton class per entire server application, and it holds only one request and session a time, while in a multi-client application you will have a session for each client connection. This means that: - if user1 is logged in - then user2 tries to log in - for user 2 you want to see if a user is already logged in; you check PadroesSession.getUser and see it returns a value (which is in fact user1) and then you allow user2 directly into the application So I think that per server application you should work with a list of sessions, not just a single instance. On Jun 16, 11:32 am, Bruno Lopes bruno.lourenco.lo...@gmail.com wrote: An serializable object from the persistence side. On Wed, Jun 16, 2010 at 6:46 AM, Magnus alpineblas...@googlemail.comwrote: What's PersonDTO? Magnus On 3 Jun., 22:36, Bruno Lopes bruno.lourenco.lo...@gmail.com wrote: Then on the server side for the LoginService public LoginResponse login(String username, String password) { LoginPService loginService = ServiceLocator.getLoginService(); PersonDTO personDTO = null; try { personDTO = loginService.getUserByUsername(username); if (personDTO == null){ //.getInstance().info(Utilizador n√£o encontrado: +username); return new LoginResponse(false, false); } else if (!loginService.checkPassword(password)){ //UCCLogger.getInstance().info(Password errada do utilizador: +username); return new LoginResponse(false, false); } } catch (Throwable e) { return new LoginResponse(false, false); } LoginResponse response = new LoginResponse(); response.setLoginSuccess(true); PadroesSession padroesSession = PadroesSession.getInstance(); padroesSession.setRequest(getThreadLocalRequest()); padroesSession.setUser(personDTO); return response; } On Thu, Jun 3, 2010 at 9:33 PM, Bruno Lopes bruno.lourenco.lo...@gmail.comwrote: YES on the server side I have something like this: public class PadroesSession implements Serializable{ private static PadroesSession padroesSession=null; public static PadroesSession getInstance(){ if(padroesSession == null){ padroesSession = new PadroesSession(); return padroesSession; } else { return padroesSession; } } private PadroesSession(){ } private static final String USER_SESSION = userSession; private HttpServletRequest request = null; private HttpSession session = null; public PersonDTO getUser(){ if(null == session) return null; return session.getAttribute(USER_SESSION) != null ? (PersonDTO)session.getAttribute(USER_SESSION) : null; } public HttpSession getSession(){ return session; } public void invalidate(){ if(request!=null) if(request.getSession(false)!= null) request.getSession(false).invalidate(); if(null != session){ session.invalidate(); session = null; } } public void setUser(PersonDTO user){ if(null == user){ if(session!=null) session.removeAttribute(USER_SESSION); return; } if(null != request) this.session = request.getSession(true); if(session!=null) session.setAttribute(USER_SESSION, user); } public String getId(){ return request.getSession(false).getId(); } public HttpServletRequest getRequest() { return request; } public void setRequest(HttpServletRequest request) { this.request = request; } } On Thu, Jun 3, 2010 at 2:45 PM, Magnus alpineblas...@googlemail.com wrote: Hi, thank you for the code! I adopted it to my application. So you authenticate the user via the remote service! But how do you actually store the user context the app is running in? Do you do some session management? Thanks Magnus On Jun 2, 7:15 pm, Bruno Lopes bruno.lourenco.lo...@gmail.com wrote: Hi Alpine Bluster, look at this code: public void onModuleLoad() { this.setLoginPanel(); loginButton = new Button(Login); loginButton.addListener(new ButtonListenerAdapter() { public void onClick(Button button, EventObject e) { userAuthentication(); } }); formPanel.addButton(loginButton); formPanel.setBorder(false); loginPanel.add(formPanel); Element appPanelEl =
Re: login/logout/remember
An serializable object from the persistence side. On Wed, Jun 16, 2010 at 6:46 AM, Magnus alpineblas...@googlemail.comwrote: What's PersonDTO? Magnus On 3 Jun., 22:36, Bruno Lopes bruno.lourenco.lo...@gmail.com wrote: Then on the server side for the LoginService public LoginResponse login(String username, String password) { LoginPService loginService = ServiceLocator.getLoginService(); PersonDTO personDTO = null; try { personDTO = loginService.getUserByUsername(username); if (personDTO == null){ //.getInstance().info(Utilizador n√£o encontrado: +username); return new LoginResponse(false, false); } else if (!loginService.checkPassword(password)){ //UCCLogger.getInstance().info(Password errada do utilizador: +username); return new LoginResponse(false, false); } } catch (Throwable e) { return new LoginResponse(false, false); } LoginResponse response = new LoginResponse(); response.setLoginSuccess(true); PadroesSession padroesSession = PadroesSession.getInstance(); padroesSession.setRequest(getThreadLocalRequest()); padroesSession.setUser(personDTO); return response; } On Thu, Jun 3, 2010 at 9:33 PM, Bruno Lopes bruno.lourenco.lo...@gmail.comwrote: YES on the server side I have something like this: public class PadroesSession implements Serializable{ private static PadroesSession padroesSession=null; public static PadroesSession getInstance(){ if(padroesSession == null){ padroesSession = new PadroesSession(); return padroesSession; } else { return padroesSession; } } private PadroesSession(){ } private static final String USER_SESSION = userSession; private HttpServletRequest request = null; private HttpSession session = null; public PersonDTO getUser(){ if(null == session) return null; return session.getAttribute(USER_SESSION) != null ? (PersonDTO)session.getAttribute(USER_SESSION) : null; } public HttpSession getSession(){ return session; } public void invalidate(){ if(request!=null) if(request.getSession(false)!= null) request.getSession(false).invalidate(); if(null != session){ session.invalidate(); session = null; } } public void setUser(PersonDTO user){ if(null == user){ if(session!=null) session.removeAttribute(USER_SESSION); return; } if(null != request) this.session = request.getSession(true); if(session!=null) session.setAttribute(USER_SESSION, user); } public String getId(){ return request.getSession(false).getId(); } public HttpServletRequest getRequest() { return request; } public void setRequest(HttpServletRequest request) { this.request = request; } } On Thu, Jun 3, 2010 at 2:45 PM, Magnus alpineblas...@googlemail.com wrote: Hi, thank you for the code! I adopted it to my application. So you authenticate the user via the remote service! But how do you actually store the user context the app is running in? Do you do some session management? Thanks Magnus On Jun 2, 7:15 pm, Bruno Lopes bruno.lourenco.lo...@gmail.com wrote: Hi Alpine Bluster, look at this code: public void onModuleLoad() { this.setLoginPanel(); loginButton = new Button(Login); loginButton.addListener(new ButtonListenerAdapter() { public void onClick(Button button, EventObject e) { userAuthentication(); } }); formPanel.addButton(loginButton); formPanel.setBorder(false); loginPanel.add(formPanel); Element appPanelEl = loginPanel.getElement(); @SuppressWarnings(unused) KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() { { setKey(EventObject.ENTER); setKeyListener(new KeyListener() { public void onKey(int key, EventObject e) { loginButton.focus(); } }); } }); RootPanel.get(login_widget).add(loginPanel); } private void userAuthentication() { if (this.userNameField.getValueAsString().equals()) Window.alert(username must not be empty.); else { loginService = GWT.create(LoginService.class); String username = this.userNameField.getValueAsString(); String password = this.passwordField.getValueAsString(); this.loginService.login(username, password, new AsyncCallbackLoginResponse() {
Re: login/logout/remember
What's PersonDTO? Magnus On 3 Jun., 22:36, Bruno Lopes bruno.lourenco.lo...@gmail.com wrote: Then on the server side for the LoginService public LoginResponse login(String username, String password) { LoginPService loginService = ServiceLocator.getLoginService(); PersonDTO personDTO = null; try { personDTO = loginService.getUserByUsername(username); if (personDTO == null){ //.getInstance().info(Utilizador n√£o encontrado: +username); return new LoginResponse(false, false); } else if (!loginService.checkPassword(password)){ //UCCLogger.getInstance().info(Password errada do utilizador: +username); return new LoginResponse(false, false); } } catch (Throwable e) { return new LoginResponse(false, false); } LoginResponse response = new LoginResponse(); response.setLoginSuccess(true); PadroesSession padroesSession = PadroesSession.getInstance(); padroesSession.setRequest(getThreadLocalRequest()); padroesSession.setUser(personDTO); return response; } On Thu, Jun 3, 2010 at 9:33 PM, Bruno Lopes bruno.lourenco.lo...@gmail.comwrote: YES on the server side I have something like this: public class PadroesSession implements Serializable{ private static PadroesSession padroesSession=null; public static PadroesSession getInstance(){ if(padroesSession == null){ padroesSession = new PadroesSession(); return padroesSession; } else { return padroesSession; } } private PadroesSession(){ } private static final String USER_SESSION = userSession; private HttpServletRequest request = null; private HttpSession session = null; public PersonDTO getUser(){ if(null == session) return null; return session.getAttribute(USER_SESSION) != null ? (PersonDTO)session.getAttribute(USER_SESSION) : null; } public HttpSession getSession(){ return session; } public void invalidate(){ if(request!=null) if(request.getSession(false)!= null) request.getSession(false).invalidate(); if(null != session){ session.invalidate(); session = null; } } public void setUser(PersonDTO user){ if(null == user){ if(session!=null) session.removeAttribute(USER_SESSION); return; } if(null != request) this.session = request.getSession(true); if(session!=null) session.setAttribute(USER_SESSION, user); } public String getId(){ return request.getSession(false).getId(); } public HttpServletRequest getRequest() { return request; } public void setRequest(HttpServletRequest request) { this.request = request; } } On Thu, Jun 3, 2010 at 2:45 PM, Magnus alpineblas...@googlemail.comwrote: Hi, thank you for the code! I adopted it to my application. So you authenticate the user via the remote service! But how do you actually store the user context the app is running in? Do you do some session management? Thanks Magnus On Jun 2, 7:15 pm, Bruno Lopes bruno.lourenco.lo...@gmail.com wrote: Hi Alpine Bluster, look at this code: public void onModuleLoad() { this.setLoginPanel(); loginButton = new Button(Login); loginButton.addListener(new ButtonListenerAdapter() { public void onClick(Button button, EventObject e) { userAuthentication(); } }); formPanel.addButton(loginButton); formPanel.setBorder(false); loginPanel.add(formPanel); Element appPanelEl = loginPanel.getElement(); �...@suppresswarnings(unused) KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() { { setKey(EventObject.ENTER); setKeyListener(new KeyListener() { public void onKey(int key, EventObject e) { loginButton.focus(); } }); } }); RootPanel.get(login_widget).add(loginPanel); } private void userAuthentication() { if (this.userNameField.getValueAsString().equals()) Window.alert(username must not be empty.); else { loginService = GWT.create(LoginService.class); String username = this.userNameField.getValueAsString(); String password = this.passwordField.getValueAsString(); this.loginService.login(username, password, new AsyncCallbackLoginResponse() { public void onFailure(Throwable caught) { Window.alert(server side failure: + caught); } public void onSuccess(LoginResponse result) { if (result.isLoginSuccess()){ Window.Location.replace(./../Main.html); } else Window.alert(username or password invalid.); } }); } } ... FOR
Re: login/logout/remember
Hi, thank you for the code! I adopted it to my application. So you authenticate the user via the remote service! But how do you actually store the user context the app is running in? Do you do some session management? Thanks Magnus On Jun 2, 7:15 pm, Bruno Lopes bruno.lourenco.lo...@gmail.com wrote: Hi Alpine Bluster, look at this code: public void onModuleLoad() { this.setLoginPanel(); loginButton = new Button(Login); loginButton.addListener(new ButtonListenerAdapter() { public void onClick(Button button, EventObject e) { userAuthentication(); } }); formPanel.addButton(loginButton); formPanel.setBorder(false); loginPanel.add(formPanel); Element appPanelEl = loginPanel.getElement(); @SuppressWarnings(unused) KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() { { setKey(EventObject.ENTER); setKeyListener(new KeyListener() { public void onKey(int key, EventObject e) { loginButton.focus(); } }); } }); RootPanel.get(login_widget).add(loginPanel); } private void userAuthentication() { if (this.userNameField.getValueAsString().equals()) Window.alert(username must not be empty.); else { loginService = GWT.create(LoginService.class); String username = this.userNameField.getValueAsString(); String password = this.passwordField.getValueAsString(); this.loginService.login(username, password, new AsyncCallbackLoginResponse() { public void onFailure(Throwable caught) { Window.alert(server side failure: + caught); } public void onSuccess(LoginResponse result) { if (result.isLoginSuccess()){ Window.Location.replace(./../Main.html); } else Window.alert(username or password invalid.); } }); } } ... FOR LOGOUT private Panel northPanel = new Panel(); Toolbar toolbar = new Toolbar(); ToolbarButton logoutButton = new ToolbarButton(Sign Out); logoutButton.addListener( new ButtonListenerAdapter() { public void onClick( Button button, EventObject e ) { LoginServiceAsync service = GWT.create(LoginService.class); service.logout(new AsyncCallbackVoid() { @Override public void onFailure(Throwable caught) { caught.printStackTrace(); } @Override public void onSuccess(Void result) { Window.Location.replace(./../Login.html); } }); } }); tabPanel = new TabPanel(); toolbar.addFill(); toolbar.addText(welcome, + someUser..); toolbar.addSeparator(); toolbar.addButton(logoutButton); tabPanel.setWidth(NORMALIZE_SPACING); tabPanel.setTopToolbar(toolbar); northPanel.add(tabPanel); On Wed, Jun 2, 2010 at 5:25 PM, Magnus alpineblas...@googlemail.com wrote: Hi, I cannot find a minimalistic example that shows how to realize a login/ logout functionality. Could please someone point me to such an example? I also wonder where to put the different things. For example, the code that immediately reacts on the login button could be placed within the client folder of a GWT project, or it could be realized as a servlet. When do I use a servlet and how? Thank you! Magnus -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: login/logout/remember
YES on the server side I have something like this: public class PadroesSession implements Serializable{ private static PadroesSession padroesSession=null; public static PadroesSession getInstance(){ if(padroesSession == null){ padroesSession = new PadroesSession(); return padroesSession; } else { return padroesSession; } } private PadroesSession(){ } private static final String USER_SESSION = userSession; private HttpServletRequest request = null; private HttpSession session = null; public PersonDTO getUser(){ if(null == session) return null; return session.getAttribute(USER_SESSION) != null ? (PersonDTO)session.getAttribute(USER_SESSION) : null; } public HttpSession getSession(){ return session; } public void invalidate(){ if(request!=null) if(request.getSession(false)!= null) request.getSession(false).invalidate(); if(null != session){ session.invalidate(); session = null; } } public void setUser(PersonDTO user){ if(null == user){ if(session!=null) session.removeAttribute(USER_SESSION); return; } if(null != request) this.session = request.getSession(true); if(session!=null) session.setAttribute(USER_SESSION, user); } public String getId(){ return request.getSession(false).getId(); } public HttpServletRequest getRequest() { return request; } public void setRequest(HttpServletRequest request) { this.request = request; } } On Thu, Jun 3, 2010 at 2:45 PM, Magnus alpineblas...@googlemail.com wrote: Hi, thank you for the code! I adopted it to my application. So you authenticate the user via the remote service! But how do you actually store the user context the app is running in? Do you do some session management? Thanks Magnus On Jun 2, 7:15 pm, Bruno Lopes bruno.lourenco.lo...@gmail.com wrote: Hi Alpine Bluster, look at this code: public void onModuleLoad() { this.setLoginPanel(); loginButton = new Button(Login); loginButton.addListener(new ButtonListenerAdapter() { public void onClick(Button button, EventObject e) { userAuthentication(); } }); formPanel.addButton(loginButton); formPanel.setBorder(false); loginPanel.add(formPanel); Element appPanelEl = loginPanel.getElement(); @SuppressWarnings(unused) KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() { { setKey(EventObject.ENTER); setKeyListener(new KeyListener() { public void onKey(int key, EventObject e) { loginButton.focus(); } }); } }); RootPanel.get(login_widget).add(loginPanel); } private void userAuthentication() { if (this.userNameField.getValueAsString().equals()) Window.alert(username must not be empty.); else { loginService = GWT.create(LoginService.class); String username = this.userNameField.getValueAsString(); String password = this.passwordField.getValueAsString(); this.loginService.login(username, password, new AsyncCallbackLoginResponse() { public void onFailure(Throwable caught) { Window.alert(server side failure: + caught); } public void onSuccess(LoginResponse result) { if (result.isLoginSuccess()){ Window.Location.replace(./../Main.html); } else Window.alert(username or password invalid.); } }); } } ... FOR LOGOUT private Panel northPanel = new Panel(); Toolbar toolbar = new Toolbar(); ToolbarButton logoutButton = new ToolbarButton(Sign Out); logoutButton.addListener( new ButtonListenerAdapter() { public void onClick( Button button, EventObject e ) { LoginServiceAsync service = GWT.create(LoginService.class); service.logout(new AsyncCallbackVoid() { @Override public void onFailure(Throwable caught) { caught.printStackTrace(); } @Override public void onSuccess(Void result) { Window.Location.replace(./../Login.html); } }); } }); tabPanel = new TabPanel(); toolbar.addFill(); toolbar.addText(welcome, + someUser..); toolbar.addSeparator(); toolbar.addButton(logoutButton); tabPanel.setWidth(NORMALIZE_SPACING); tabPanel.setTopToolbar(toolbar); northPanel.add(tabPanel); On Wed, Jun 2, 2010 at 5:25 PM, Magnus alpineblas...@googlemail.com wrote: Hi, I cannot find a minimalistic example that shows how to realize a login/ logout functionality. Could please someone point me to such an example? I also wonder where to put the different things. For example, the code that immediately reacts on the login button could be placed within the client folder of a GWT project, or it could be realized as a
Re: login/logout/remember
Then on the server side for the LoginService public LoginResponse login(String username, String password) { LoginPService loginService = ServiceLocator.getLoginService(); PersonDTO personDTO = null; try { personDTO = loginService.getUserByUsername(username); if (personDTO == null){ //.getInstance().info(Utilizador n√£o encontrado: +username); return new LoginResponse(false, false); } else if (!loginService.checkPassword(password)){ //UCCLogger.getInstance().info(Password errada do utilizador: +username); return new LoginResponse(false, false); } } catch (Throwable e) { return new LoginResponse(false, false); } LoginResponse response = new LoginResponse(); response.setLoginSuccess(true); PadroesSession padroesSession = PadroesSession.getInstance(); padroesSession.setRequest(getThreadLocalRequest()); padroesSession.setUser(personDTO); return response; } On Thu, Jun 3, 2010 at 9:33 PM, Bruno Lopes bruno.lourenco.lo...@gmail.comwrote: YES on the server side I have something like this: public class PadroesSession implements Serializable{ private static PadroesSession padroesSession=null; public static PadroesSession getInstance(){ if(padroesSession == null){ padroesSession = new PadroesSession(); return padroesSession; } else { return padroesSession; } } private PadroesSession(){ } private static final String USER_SESSION = userSession; private HttpServletRequest request = null; private HttpSession session = null; public PersonDTO getUser(){ if(null == session) return null; return session.getAttribute(USER_SESSION) != null ? (PersonDTO)session.getAttribute(USER_SESSION) : null; } public HttpSession getSession(){ return session; } public void invalidate(){ if(request!=null) if(request.getSession(false)!= null) request.getSession(false).invalidate(); if(null != session){ session.invalidate(); session = null; } } public void setUser(PersonDTO user){ if(null == user){ if(session!=null) session.removeAttribute(USER_SESSION); return; } if(null != request) this.session = request.getSession(true); if(session!=null) session.setAttribute(USER_SESSION, user); } public String getId(){ return request.getSession(false).getId(); } public HttpServletRequest getRequest() { return request; } public void setRequest(HttpServletRequest request) { this.request = request; } } On Thu, Jun 3, 2010 at 2:45 PM, Magnus alpineblas...@googlemail.comwrote: Hi, thank you for the code! I adopted it to my application. So you authenticate the user via the remote service! But how do you actually store the user context the app is running in? Do you do some session management? Thanks Magnus On Jun 2, 7:15 pm, Bruno Lopes bruno.lourenco.lo...@gmail.com wrote: Hi Alpine Bluster, look at this code: public void onModuleLoad() { this.setLoginPanel(); loginButton = new Button(Login); loginButton.addListener(new ButtonListenerAdapter() { public void onClick(Button button, EventObject e) { userAuthentication(); } }); formPanel.addButton(loginButton); formPanel.setBorder(false); loginPanel.add(formPanel); Element appPanelEl = loginPanel.getElement(); @SuppressWarnings(unused) KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() { { setKey(EventObject.ENTER); setKeyListener(new KeyListener() { public void onKey(int key, EventObject e) { loginButton.focus(); } }); } }); RootPanel.get(login_widget).add(loginPanel); } private void userAuthentication() { if (this.userNameField.getValueAsString().equals()) Window.alert(username must not be empty.); else { loginService = GWT.create(LoginService.class); String username = this.userNameField.getValueAsString(); String password = this.passwordField.getValueAsString(); this.loginService.login(username, password, new AsyncCallbackLoginResponse() { public void onFailure(Throwable caught) { Window.alert(server side failure: + caught); } public void onSuccess(LoginResponse result) { if (result.isLoginSuccess()){ Window.Location.replace(./../Main.html); } else Window.alert(username or password invalid.); } }); } } ... FOR LOGOUT private Panel northPanel = new Panel(); Toolbar toolbar = new Toolbar(); ToolbarButton logoutButton = new
login/logout/remember
Hi, I cannot find a minimalistic example that shows how to realize a login/ logout functionality. Could please someone point me to such an example? I also wonder where to put the different things. For example, the code that immediately reacts on the login button could be placed within the client folder of a GWT project, or it could be realized as a servlet. When do I use a servlet and how? Thank you! Magnus -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: login/logout/remember
Hi Alpine Bluster, look at this code: public void onModuleLoad() { this.setLoginPanel(); loginButton = new Button(Login); loginButton.addListener(new ButtonListenerAdapter() { public void onClick(Button button, EventObject e) { userAuthentication(); } }); formPanel.addButton(loginButton); formPanel.setBorder(false); loginPanel.add(formPanel); Element appPanelEl = loginPanel.getElement(); @SuppressWarnings(unused) KeyMap map = new KeyMap(appPanelEl, new KeyMapConfig() { { setKey(EventObject.ENTER); setKeyListener(new KeyListener() { public void onKey(int key, EventObject e) { loginButton.focus(); } }); } }); RootPanel.get(login_widget).add(loginPanel); } private void userAuthentication() { if (this.userNameField.getValueAsString().equals()) Window.alert(username must not be empty.); else { loginService = GWT.create(LoginService.class); String username = this.userNameField.getValueAsString(); String password = this.passwordField.getValueAsString(); this.loginService.login(username, password, new AsyncCallbackLoginResponse() { public void onFailure(Throwable caught) { Window.alert(server side failure: + caught); } public void onSuccess(LoginResponse result) { if (result.isLoginSuccess()){ Window.Location.replace(./../Main.html); } else Window.alert(username or password invalid.); } }); } } ... FOR LOGOUT private Panel northPanel = new Panel(); Toolbar toolbar = new Toolbar(); ToolbarButton logoutButton = new ToolbarButton(Sign Out); logoutButton.addListener( new ButtonListenerAdapter() { public void onClick( Button button, EventObject e ) { LoginServiceAsync service = GWT.create(LoginService.class); service.logout(new AsyncCallbackVoid() { @Override public void onFailure(Throwable caught) { caught.printStackTrace(); } @Override public void onSuccess(Void result) { Window.Location.replace(./../Login.html); } }); } }); tabPanel = new TabPanel(); toolbar.addFill(); toolbar.addText(welcome, + someUser..); toolbar.addSeparator(); toolbar.addButton(logoutButton); tabPanel.setWidth(NORMALIZE_SPACING); tabPanel.setTopToolbar(toolbar); northPanel.add(tabPanel); On Wed, Jun 2, 2010 at 5:25 PM, Magnus alpineblas...@googlemail.com wrote: Hi, I cannot find a minimalistic example that shows how to realize a login/ logout functionality. Could please someone point me to such an example? I also wonder where to put the different things. For example, the code that immediately reacts on the login button could be placed within the client folder of a GWT project, or it could be realized as a servlet. When do I use a servlet and how? Thank you! Magnus -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: GWT Login/ Logout/ Remember Me (with concern in preventing Cross-Site Request Forgeries) Example
I suggest using container managed security so that you don't have to deal with most of this. I have implemented a GWT-based form login, but it required some hackery because of the way tomcat/glassfish handle redirecting for form login using request dispatching, therefore causing your moduleBaseUrl to be off and not being able to load any of the successive resource files. I was able to work around this using a jsp to do a meta redirect so that the browser would go to the real url. On Apr 7, 3:57 pm, Sripathi Krishnan sripathikrish...@gmail.com wrote: For general ideas on how to implement remember me, the thread you started on stackoverflowhttp://stackoverflow.com/questions/2594960/best-pratice-to-implement-...should get you answers. I will try to answer the GWT specific things you should be doing over here. If you haven't already, please readhttp://groups.google.com/group/Google-Web-Toolkit/web/security-for-gw Its a bit dated, and will perhaps take you a while to go through it, but it is definitely worth reading if you are concerned about security. Once you have implemented remember-me, it is important that your website doesn't have XSS (cross site scripting) or CSRF (cross site request forgery) loopholes. Additionally, you must use a SSL certificate (https) to protect the cookie from a man-in-the-middle attack. Some suggestions for XSS and CSRF from a GWT perspective - *Cross Site Scripting* - Within GWT code, be wary of innerHTML() and eval() methods. Make sure that whatever string you pass to these methods is trusted. If its not trusted, you'd have to escape the stringshttp://www.530geeks.com/encode.jspappropriately. GWT takes care of things everywhere else. - If you are using JSNI, make sure you don't insert untrusted content into the dom. Same as above, use escaping if the strings are not trusted. - If you use an external javascript library, make sure it doesn't have loopholes. - Finally, if you use a jsp/servlet to generate the html, make sure that it doesn't echo input parameters without first escaping them. *Cross Site Request Forgery* - If you use GWT RPC (whether the legacy one or the new deRPC), you are already protected. GWT sets custom request headers before making a RPC call. It also uses post with a custom content type. These cannot be forged using a script/image/iframe/form from another domain. - If you use RequestBuilder to download JSON / XML, then you are on your own. Follow the best practices laid down by OWASPhttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_ GWTs security noteshttp://groups.google.com/group/Google-Web-Toolkit/web/security-for-gw...also has notes on how to protect against csrf. --Sri On 8 April 2010 02:36, Manuel Carrasco Moñino man...@apache.org wrote: GWT (client side) has nothing to do with HttpOnly cookies because the browser can not read them using javascript. You have to face it in the server side, sending a cookie from your servlet to the browser with the HttpOnly attribute set, the browser will remember it, and the next time it loads the GWT application it has to ask the server via RPC to know if the user has the appropriate cookies, if not you have to show the login screen. -Manolo On Wed, Apr 7, 2010 at 8:17 PM, yccheok yancheng.ch...@gmail.com wrote: Does anyone have a good code example, on how to implement login/logout/ remember me feature, using GWT, with concern on Cross-Site Request Forgeries. My plan is to use HttpOnly : http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-http... However, I am not sure whether that will be sufficient enough. Thanks. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com . To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit
GWT Login/ Logout/ Remember Me (with concern in preventing Cross-Site Request Forgeries) Example
Does anyone have a good code example, on how to implement login/logout/ remember me feature, using GWT, with concern on Cross-Site Request Forgeries. My plan is to use HttpOnly : http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html However, I am not sure whether that will be sufficient enough. Thanks. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: GWT Login/ Logout/ Remember Me (with concern in preventing Cross-Site Request Forgeries) Example
GWT (client side) has nothing to do with HttpOnly cookies because the browser can not read them using javascript. You have to face it in the server side, sending a cookie from your servlet to the browser with the HttpOnly attribute set, the browser will remember it, and the next time it loads the GWT application it has to ask the server via RPC to know if the user has the appropriate cookies, if not you have to show the login screen. -Manolo On Wed, Apr 7, 2010 at 8:17 PM, yccheok yancheng.ch...@gmail.com wrote: Does anyone have a good code example, on how to implement login/logout/ remember me feature, using GWT, with concern on Cross-Site Request Forgeries. My plan is to use HttpOnly : http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html However, I am not sure whether that will be sufficient enough. Thanks. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: GWT Login/ Logout/ Remember Me (with concern in preventing Cross-Site Request Forgeries) Example
For general ideas on how to implement remember me, the thread you started on stackoverflowhttp://stackoverflow.com/questions/2594960/best-pratice-to-implement-secure-remember-meshould get you answers. I will try to answer the GWT specific things you should be doing over here. If you haven't already, please read http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications. Its a bit dated, and will perhaps take you a while to go through it, but it is definitely worth reading if you are concerned about security. Once you have implemented remember-me, it is important that your website doesn't have XSS (cross site scripting) or CSRF (cross site request forgery) loopholes. Additionally, you must use a SSL certificate (https) to protect the cookie from a man-in-the-middle attack. Some suggestions for XSS and CSRF from a GWT perspective - *Cross Site Scripting* - Within GWT code, be wary of innerHTML() and eval() methods. Make sure that whatever string you pass to these methods is trusted. If its not trusted, you'd have to escape the stringshttp://www.530geeks.com/encode.jspappropriately. GWT takes care of things everywhere else. - If you are using JSNI, make sure you don't insert untrusted content into the dom. Same as above, use escaping if the strings are not trusted. - If you use an external javascript library, make sure it doesn't have loopholes. - Finally, if you use a jsp/servlet to generate the html, make sure that it doesn't echo input parameters without first escaping them. *Cross Site Request Forgery* - If you use GWT RPC (whether the legacy one or the new deRPC), you are already protected. GWT sets custom request headers before making a RPC call. It also uses post with a custom content type. These cannot be forged using a script/image/iframe/form from another domain. - If you use RequestBuilder to download JSON / XML, then you are on your own. Follow the best practices laid down by OWASPhttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet. GWTs security noteshttp://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applicationsalso has notes on how to protect against csrf. --Sri On 8 April 2010 02:36, Manuel Carrasco Moñino man...@apache.org wrote: GWT (client side) has nothing to do with HttpOnly cookies because the browser can not read them using javascript. You have to face it in the server side, sending a cookie from your servlet to the browser with the HttpOnly attribute set, the browser will remember it, and the next time it loads the GWT application it has to ask the server via RPC to know if the user has the appropriate cookies, if not you have to show the login screen. -Manolo On Wed, Apr 7, 2010 at 8:17 PM, yccheok yancheng.ch...@gmail.com wrote: Does anyone have a good code example, on how to implement login/logout/ remember me feature, using GWT, with concern on Cross-Site Request Forgeries. My plan is to use HttpOnly : http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html However, I am not sure whether that will be sufficient enough. Thanks. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com . To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.comgoogle-web-toolkit%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.