Hello Matt, Yeah, I know that it will work, but I'm not sure that this is at 100% the right way and also a secure way.Thats why I was looking for opinions and suggestions from other developers about this issue.
Regards, Miroslav On Sun, 2009-01-25 at 10:00 -0800, hazy1 wrote: > Hi, > > I do what you describe (servlet filter). It works OK. > > Regards, > > Matt > > On Jan 25, 11:59 am, Miroslav Genov <[email protected]> wrote: > > Hello, > > > > I have a question regarding the security that is using google with GWT. > > Does anyone can give some small overview of the design or maybe an > > article about the security mechanism that is using google with GWT. > > > > I'm asking this questions here, because I'm trying to create a small > > security library for GWT which shall provide an easy way for securing of > > GWT Server side code. I'm on the part where I have to find a secure way > > for generation of a sid value and to define some interfaces for > > authentication and for checking whether the SID that comes from the > > client code is same as the SID stored in the database or some any other > > kind of storage. Thats why I've spent some time to understand how google > > health application security was realized. > > > > After a little sniffing on google healh application I found that there > > are a lot of cookies values that are sent to the server. But the think > > that really confused me was the SID value: > > =DQAAAHoAAAAG8ODKHiiDYoiMJbU2-1sCJ7MsdDG7jpcxDKuTTTK20R9XKuRsUThI-d4xfC8SsqNz5k2VYwi0m1Ilgu_NBsh08oCorcezDdZ0YxYZgTQy79MBsdFcPE9ee61Uafl8iRLsj_EHnbXTXCoYrQz33UvKRh4yAMq3SwrL9M573zEwyw > > > > Does anyone know the algorithm that generates this sid? > > > > >From that article > > > > http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gw... > > > > I found that to secure a single service method you have to add the sid > > value as a parameter to the service method. > > > > "If you are using GWT's RPC mechanism, the solution is unfortunately not > > quite as clean. However, there are still several ways you can > > accomplish it. For instance, you can add an argument to each method in > > your RemoteService interface that contains a String. That is, if you > > wanted this interface:" > > > > Should all of service methods always use this pattern? Or maybe there is > > a secure way to do that with cookie? > > > > The idea which I'm currently have is to filter the incoming data with a > > servlet filter and in the filter to inject ( Google Guice ) the logic > > that checks the sid value with the value in the storage. If the value is > > matching the application will call the doFilter method and fill force > > the request to be completed. When the value is not matching then the > > application may throw an exception that the user that is trying to > > access this service is not authorized to do that. > > > > Regards, > > Miroslav > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
