Thank you Ümit! I will follow the second approach. It is also described a bit better.
On Wednesday, December 9, 2015 at 3:37:15 PM UTC+2, Ümit Seren wrote: > > Well as for any SPA (Single Page App) authentication and authorization is > a concern of the server and not really the client. > > This is how I usually do it: > 1.) Make the index.html page dynamic. The backend adds information whether > the user is logged in or not ( > http://www.gwtproject.org/articles/dynamic_host_page.html) when it is > rendered. > 2.) When GWT loads check the host page and retrieve the user information. > If the user is not logged in, display Login Button/Menu item or whatever. > 3.) When the user clicks on the login menu item/button you can either a.) > open a GWT dialog and display a form that creates a post request to the > backend server or b.) navigate to a seprate Non-GWT login page with a > similar form. (I prefer the Non-GWT login page because it is a bit easier) > 4.) Once the user submits the form with the credentials, the backend will > check if the user credentials are correct and if so will create a session > (using a session cookie for example). Usually the backend server/framework > will handle this for you. > 5.) For the Non-GWT login page you just need to redirect to the dynamic > index.html (for the GWT dialog option you probably need to refresh the > site). > > Based on the user information that you retrieve from the dynamic > index.html page you can hide and display specific UI elements. > Nevertheless there is one important rule: *YOU SHOULD NEVER TRUST THE > CLIENT. * > So you must validate and check every GWT request to the backend. Usually > this can be done by a backend framework automcatically. For example with > Spring you can annote your service layer with security annotations and the > backend will throw an AccessDenied Exception. > > The second example you posted is basically describing this approach and > you don't really mix GWT and Spring here because GWT has no idea of the > Spring context. > > > > > On Wednesday, December 9, 2015 at 12:12:10 PM UTC+1, [email protected] wrote: >> >> Hello all, >> >> I have found GWT project documentation and examples at website >> fantastic. All major subjects are described with nice examples. What do I >> really miss there is user login and security (sessions, validation, etc.) >> Can't really imagine any web-project without user handling. For sure Google >> has found many articles in this area and basically there are two options as >> I understand: >> >> 1. >> >> https://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ >> 2. >> >> http://examples.javacodegeeks.com/enterprise-java/gwt/gwt-spring-security-example/ >> >> The first article seems to be a bit old though it describes basic >> principles of custom log-on implementation. Second one seems to be more >> solid, but I am a bit scare of the fact that just for single page I need to >> add Spring context. Mixing GWT and Spring does not make me confident I am >> doing right thing. Is there other ways to do log-on or these two patterns >> are the most common? >> >> >> >> Thank you. >> > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/d/optout.
