Seems fine to me. Do you have any specific problem? The only irritating thing to me is that the GWT RPC interface has to be changed. Hopefully the GWT team integrates this kind of feature into the RPC protocol.
On Jan 25, 1:07 pm, Miroslav Genov <[email protected]> wrote: > Hello Matt, > > Yeah, I know that it will work, but I'm not sure that this is at 100% > the right way and also a secure way.Thats why I was looking for opinions > and suggestions from other developers about this issue. > > Regards, > Miroslav > > On Sun, 2009-01-25 at 10:00 -0800, hazy1 wrote: > > Hi, > > > I do what you describe (servlet filter). It works OK. > > > Regards, > > > Matt > > > On Jan 25, 11:59 am, Miroslav Genov <[email protected]> wrote: > > > Hello, > > > > I have a question regarding the security that is using google with GWT. > > > Does anyone can give some small overview of the design or maybe an > > > article about the security mechanism that is using google with GWT. > > > > I'm asking this questions here, because I'm trying to create a small > > > security library for GWT which shall provide an easy way for securing of > > > GWT Server side code. I'm on the part where I have to find a secure way > > > for generation of a sid value and to define some interfaces for > > > authentication and for checking whether the SID that comes from the > > > client code is same as the SID stored in the database or some any other > > > kind of storage. Thats why I've spent some time to understand how google > > > health application security was realized. > > > > After a little sniffing on google healh application I found that there > > > are a lot of cookies values that are sent to the server. But the think > > > that really confused me was the SID value: > > > =DQAAAHoAAAAG8ODKHiiDYoiMJbU2-1sCJ7MsdDG7jpcxDKuTTTK20R9XKuRsUThI-d4xfC8SsqNz5k2VYwi0m1Ilgu_NBsh08oCorcezDdZ0YxYZgTQy79MBsdFcPE9ee61Uafl8iRLsj_EHnbXTXCoYrQz33UvKRh4yAMq3SwrL9M573zEwyw > > > > Does anyone know the algorithm that generates this sid? > > > > >From that article > > > >http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gw... > > > > I found that to secure a single service method you have to add the sid > > > value as a parameter to the service method. > > > > "If you are using GWT's RPC mechanism, the solution is unfortunately not > > > quite as clean. However, there are still several ways you can > > > accomplish it. For instance, you can add an argument to each method in > > > your RemoteService interface that contains a String. That is, if you > > > wanted this interface:" > > > > Should all of service methods always use this pattern? Or maybe there is > > > a secure way to do that with cookie? > > > > The idea which I'm currently have is to filter the incoming data with a > > > servlet filter and in the filter to inject ( Google Guice ) the logic > > > that checks the sid value with the value in the storage. If the value is > > > matching the application will call the doFilter method and fill force > > > the request to be completed. When the value is not matching then the > > > application may throw an exception that the user that is trying to > > > access this service is not authorized to do that. > > > > Regards, > > > Miroslav --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
