Sim123,
I'm sorry, I didn't write the GWTLogin Security paper, which documents
an approach other than what I use. I think that if you buy into the
idea of using session cookies for security (i.e., reinventing the
security wheel in order to get control over login/registration form
look and feel), then you need to go all the way and follow the advice
in the paper.
However, I'm suggesting a simpler approach, one which I'm using on my
project, which is simply configuring your server to protect the
resources you want protected using HTTP Digest authentication.
Depending on what your server is, find the documentation on
configuring that. There's not a whole lot more to it.
For instance, using JBoss/Tomcat for my web container, I deploy a
jboss-web.xml file that sits right next to the standard web.xml file
and contains the following:
"""
<jboss-web>
<security-domain>java:/jaas/digest</security-domain>
</jboss-web>
""".
In the default JBoss configuration, there are digest-users and digest-
roles xml files. It's not difficult to switch to a JDBC-based
authentication, though, which is what I do.
Walden
On Oct 1, 2:17 am, sim123 <[EMAIL PROTECTED]> wrote:
> If I should not piggyback my sessionID with RPC payload, then what
> does this line in GWTLogin Security means and could you please help me
> with how can I achieve this?
>
> "NB: Do NOT attempt to use the Cookie header to transfer the sessionID
> from GWT to the server; it is fraught with security issues that will
> become clear in the rest of this article. You MUST transfer the
> sessionID in the payload of the request"
>
> Here is the link of this article
>
> http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecur...
>
> Thank you so much for your response. I appreciate your help.
>
> On Sep 30, 4:32 am, walden <[EMAIL PROTECTED]> wrote:
>
>
>
> > Sim123,
>
> > I don't think you mentioned whether you are using the regular Hosted
> > Mode or the -noserver variant of that. To test ServletFilter
> > behavior, you will have to go with -noserver, or else test in a web
> > mode environment. That's the first thing.
>
> > Second, you are making assumptions about how GWT RPC maps onto an HTTP
> > POST. You cannot expect to dig RPC parameters out of the request as
> > if they were HTTP parameters. Basically, RPC is opaque.
>
> > So here's the rub, and now I get to preach from the top of my little
> > crate again. You are hand-rolling security by piggybacking
> > authentication session information right in the application layer of
> > your RPC stuff. You are paying the price for this doubly: (1) you are
> > polluting your applicationi logic with extra security parameters,
> > which should be orthogonal to your business logic, and (2) you can't
> > dig the session out of the RPC serialized mess, so even though you're
> > enduring the pain of (1), it won't work.
>
> > If I were you, I'd consider using either HTTP Basic, HTTP Digest, or
> > HTTP Basic over SSL for establishing and maintaining a secure session
> > with your server. It all depends on how secure your app needs to be.
> > If you just need reasonable protection against stolen credentials, the
> > second option above should be fine.
>
> > Walden
>
> > On Sep 29, 4:52 pm, sim123 <[EMAIL PROTECTED]> wrote:
>
> > > Thanks for reply, actually I don't know where exactly the problem is,
> > > please bare with me.
>
> > > First thing is : Compile/Browser option is not working when Filter is
> > > enabled, this filter just checks for existing session using
> > > request.getSession(false), if session exists request is valid other
> > > wise I am throwing an error message saying "session is null".
>
> > > In hosted mode everything works fine, no issues at all.
>
> > > Another thing which I noticed is strange behavior of
> > > request.getParameter method in case of RPC. RPC method are http POST
> > > method and now I am passing sessionID with request payload i.e.
> > > another parameter in my method
>
> > > public String getData(String studentID, string sessionID);
>
> > > I am trying to get this sessionID in my filter's dofilter method
>
> > > public void doFilter(ServletRequest request, ServletResponse response,
> > > FilterChain chain) ServletException {
> > > if ( ! isLoginRequest(request) ) {
> > > session = ((HttpServletRequest)
> > > request).getSession();
> > > String sessionIDFromReq =
> > > ((HttpServletRequest)
> > > request).getSession().getParamter("sessionID"); //this ID is null
>
> > > if ( session.getID().equals( sessionIDFromReq) ) {
> > > chain.doFilter(request, response);
>
> > > } else {
>
> > > throw new ServletException("session is
> > > null");
> > > }
> > > }
>
> > > }
>
> > > The only thing I know is for some reason I am not getting sessionID in
> > > filter even thought session is created. Please help, I hope I made
> > > things little more clear this time.
> > > Thanks
> > > On Sep 29, 6:14 am, walden <[EMAIL PROTECTED]> wrote:
>
> > > > I'm not sure, but I think Tomcat should
> > > > treathttp://localhostandhttp://<ip-address> as different origins
> > > > requiring separate sessions.
> > > > If this is your only problem, then don't use the IP address to access
> > > > your site.
>
> > > > If it's not the only problem, thenpostsome meaningful diagnostics
> > > > from your server log. You should have done that in your firstpost.
>
> > > > Walden
>
> > > > On Sep 28, 1:08 pm, sim123 <[EMAIL PROTECTED]> wrote:
>
> > > > > Someone please look into this issue, I really have no clue what is
> > > > > going on.
>
> > > > > On Sep 27, 3:38 pm, sim123 <[EMAIL PROTECTED]> wrote:
>
> > > > > > I have a simple application built in GWT and java servlet
>
> > > > > > 1. User login : user logs in using a asynchronous call to server,
> > > > > > RPC
> > > > > > service creates a session and return it to client, on OnSuccess of
> > > > > > this login call I load data on to browser, there are few RPC calls
> > > > > > and
> > > > > > one call to downlaod pictures from another tomcat instance.
>
> > > > > > 2. I have servlet filter implemented to check if the request is
> > > > > > valid
> > > > > > or not, based on session coming from Cookies this filter validates
> > > > > > the
> > > > > > request and pass it to appropriate RPC or non RPC Servlet.
>
> > > > > > Now everything is working fine in hosted mode browser but when I do
> > > > > > compile/browse I get authentication exception in filter, I don't
> > > > > > know
> > > > > > ehy is it so as I am getting the session ID back in onSuccess method
> > > > > > of Login call and after that I am performing all other operaitons. I
> > > > > > created a war file and deployed it on external tomcat, everything
> > > > > > works fine if I type "http://localhost:8080/login/Login.html";, but
> > > > > > if
> > > > > > I type ip address of my machine instead of localhost I get same
> > > > > > authentication exception saying session is null, is there something
> > > > > > realated to redirecting to another tomcat's instance when loading
> > > > > > images? If that is the case why it is not happening in hosted mode
> > > > > > and
> > > > > > in"localhsot" ?
>
> > > > > > I would really appreciate if somebody could please help me with this
> > > > > > issue.
>
> > > > > > Thansk for all the help and support- Hide quoted text -
>
> > > > > - Show quoted text -- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
