Hello, I have a question regarding the security that is using google with GWT. Does anyone can give some small overview of the design or maybe an article about the security mechanism that is using google with GWT.
I'm asking this questions here, because I'm trying to create a small security library for GWT which shall provide an easy way for securing of GWT Server side code. I'm on the part where I have to find a secure way for generation of a sid value and to define some interfaces for authentication and for checking whether the SID that comes from the client code is same as the SID stored in the database or some any other kind of storage. Thats why I've spent some time to understand how google health application security was realized. After a little sniffing on google healh application I found that there are a lot of cookies values that are sent to the server. But the think that really confused me was the SID value: =DQAAAHoAAAAG8ODKHiiDYoiMJbU2-1sCJ7MsdDG7jpcxDKuTTTK20R9XKuRsUThI-d4xfC8SsqNz5k2VYwi0m1Ilgu_NBsh08oCorcezDdZ0YxYZgTQy79MBsdFcPE9ee61Uafl8iRLsj_EHnbXTXCoYrQz33UvKRh4yAMq3SwrL9M573zEwyw Does anyone know the algorithm that generates this sid? >From that article http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications I found that to secure a single service method you have to add the sid value as a parameter to the service method. "If you are using GWT's RPC mechanism, the solution is unfortunately not quite as clean. However, there are still several ways you can accomplish it. For instance, you can add an argument to each method in your RemoteService interface that contains a String. That is, if you wanted this interface:" Should all of service methods always use this pattern? Or maybe there is a secure way to do that with cookie? The idea which I'm currently have is to filter the incoming data with a servlet filter and in the filter to inject ( Google Guice ) the logic that checks the sid value with the value in the storage. If the value is matching the application will call the doFilter method and fill force the request to be completed. When the value is not matching then the application may throw an exception that the user that is trying to access this service is not authorized to do that. Regards, Miroslav --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
