Well as for any SPA (Single Page App) authentication and authorization is a concern of the server and not really the client.
This is how I usually do it: 1.) Make the index.html page dynamic. The backend adds information whether the user is logged in or not (http://www.gwtproject.org/articles/dynamic_host_page.html) when it is rendered. 2.) When GWT loads check the host page and retrieve the user information. If the user is not logged in, display Login Button/Menu item or whatever. 3.) When the user clicks on the login menu item/button you can either a.) open a GWT dialog and display a form that creates a post request to the backend server or b.) navigate to a seprate Non-GWT login page with a similar form. (I prefer the Non-GWT login page because it is a bit easier) 4.) Once the user submits the form with the credentials, the backend will check if the user credentials are correct and if so will create a session (using a session cookie for example). Usually the backend server/framework will handle this for you. 5.) For the Non-GWT login page you just need to redirect to the dynamic index.html (for the GWT dialog option you probably need to refresh the site). Based on the user information that you retrieve from the dynamic index.html page you can hide and display specific UI elements. Nevertheless there is one important rule: *YOU SHOULD NEVER TRUST THE CLIENT. * So you must validate and check every GWT request to the backend. Usually this can be done by a backend framework automcatically. For example with Spring you can annote your service layer with security annotations and the backend will throw an AccessDenied Exception. The second example you posted is basically describing this approach and you don't really mix GWT and Spring here because GWT has no idea of the Spring context. On Wednesday, December 9, 2015 at 12:12:10 PM UTC+1, va...@ant.ee wrote: > > Hello all, > > I have found GWT project documentation and examples at website > fantastic. All major subjects are described with nice examples. What do I > really miss there is user login and security (sessions, validation, etc.) > Can't really imagine any web-project without user handling. For sure Google > has found many articles in this area and basically there are two options as > I understand: > > 1. > > https://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ > 2. > > http://examples.javacodegeeks.com/enterprise-java/gwt/gwt-spring-security-example/ > > The first article seems to be a bit old though it describes basic > principles of custom log-on implementation. Second one seems to be more > solid, but I am a bit scare of the fact that just for single page I need to > add Spring context. Mixing GWT and Spring does not make me confident I am > doing right thing. Is there other ways to do log-on or these two patterns > are the most common? > > > > Thank you. > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscr...@googlegroups.com. To post to this group, send email to google-web-toolkit@googlegroups.com. Visit this group at http://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/d/optout.
