Hi, I do what you describe (servlet filter). It works OK.
Regards, Matt On Jan 25, 11:59 am, Miroslav Genov <[email protected]> wrote: > Hello, > > I have a question regarding the security that is using google with GWT. > Does anyone can give some small overview of the design or maybe an > article about the security mechanism that is using google with GWT. > > I'm asking this questions here, because I'm trying to create a small > security library for GWT which shall provide an easy way for securing of > GWT Server side code. I'm on the part where I have to find a secure way > for generation of a sid value and to define some interfaces for > authentication and for checking whether the SID that comes from the > client code is same as the SID stored in the database or some any other > kind of storage. Thats why I've spent some time to understand how google > health application security was realized. > > After a little sniffing on google healh application I found that there > are a lot of cookies values that are sent to the server. But the think > that really confused me was the SID value: > =DQAAAHoAAAAG8ODKHiiDYoiMJbU2-1sCJ7MsdDG7jpcxDKuTTTK20R9XKuRsUThI-d4xfC8SsqNz5k2VYwi0m1Ilgu_NBsh08oCorcezDdZ0YxYZgTQy79MBsdFcPE9ee61Uafl8iRLsj_EHnbXTXCoYrQz33UvKRh4yAMq3SwrL9M573zEwyw > > Does anyone know the algorithm that generates this sid? > > >From that article > > http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gw... > > I found that to secure a single service method you have to add the sid > value as a parameter to the service method. > > "If you are using GWT's RPC mechanism, the solution is unfortunately not > quite as clean. However, there are still several ways you can > accomplish it. For instance, you can add an argument to each method in > your RemoteService interface that contains a String. That is, if you > wanted this interface:" > > Should all of service methods always use this pattern? Or maybe there is > a secure way to do that with cookie? > > The idea which I'm currently have is to filter the incoming data with a > servlet filter and in the filter to inject ( Google Guice ) the logic > that checks the sid value with the value in the storage. If the value is > matching the application will call the doFilter method and fill force > the request to be completed. When the value is not matching then the > application may throw an exception that the user that is trying to > access this service is not authorized to do that. > > Regards, > Miroslav --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
