Some form of credentials (login/password, or more likely a "token" or
"session ID") must be sent with *each and every* request to the server, and
the server must check authorizations and/or "profile" (filter, etc.) the
response depending on the user who made the request.
How you do it exactly is up to you, depends on your server-side technology
stack (you're using GWT-RPC, so I'm assuming a Java web app; but there
still might be huge differences depending on how you deploy it and
how/whether you're going to scale horizontally). Easiest will be to simply
store the user in the HttpSession (HttpServerRequest.getSession), so the
"session ID" is sent to the browser as a cookie, and the browser then
automatically sends it with each request.
Next thing you need to care about though, is CSRF (cross-site request
forgery), so you'd want to actually send a "synchronizer token" to the GWT
app (and store it in the HttpSession), which will send it in each request
(either in a custom HTTP header, or as an argument to your RPC), and the
server checks that the received token is the same as the one stored in the
session.
See
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
This is Web App Security 101 (A2, A4 and A8
in https://www.owasp.org/index.php/Top_10_2013-Top_10 )
Last note: I'd store the user (and csrf token) on the client-side in a
"global variable", and *not* use it in the URL.
On Monday, June 6, 2016 at 3:29:19 PM UTC+2, Olar Andrei wrote:
>
> Well, the login is done as down below
>
> final String username = usernameBox.getText();
> final String password = passwordBox.getText();
> GWT.runAsync(new RunAsyncCallback() {
>
> @Override
> public void onSuccess() {
> performUserConnection(username, password);
> }
>
> @Override
> public void onFailure(Throwable reason) {
> // TODO Auto-generated method stub
> }
> });
>
> private static void performUserConnection(String username, String
> password) {
> DOM.getElementById("loading").getStyle().setDisplay(Display.BLOCK);
> DBConnectionAsync rpcService = (DBConnectionAsync)
> GWT.create(DBConnection.class);
> ServiceDefTarget target = (ServiceDefTarget) rpcService;
> String moduleRelativeURL = GWT.getModuleBaseURL() + "DBConnectionImpl";
> target.setServiceEntryPoint(moduleRelativeURL);
>
> rpcService.authenticateUser(username, password, new AsyncCallback<User>() {
>
> @Override
> public void onSuccess(User user) {
> DOM.getElementById("loading").getStyle().setDisplay(Display.NONE);
> if (user.getType().equals("User")) {
> String username = user.getUsername();
> presenter.goTo(new UserPlace(username));
> } else if (user.getType().equals("Admin")) {
> String username = user.getUsername();
> presenter.goTo(new AdminPlace(username));
> }
> }
>
> @Override
> public void onFailure(Throwable caught) {
> DOM.getElementById("loading").getStyle().setDisplay(Display.NONE);
> DialogBox dialogBox = createDialogBox();
> dialogBox.setGlassEnabled(true);
> dialogBox.setAnimationEnabled(true);
> dialogBox.center();
> dialogBox.show();
> }
> });
> }
>
> So there is a form, the username and password are sent to the server using
> rpc, on the user is checked and the password verified (BCrypt hash), and
> then if they match, in the onSuccess() method the user is redirected to the
> new Place with the username as token.
>
> How should I change this ?
>
> luni, 6 iunie 2016, 14:47:47 UTC+3, Olar Andrei a scris:
>>
>> Hello,
>>
>> For now my aplication (MVP) has a login page, and 2 other palces, the
>> AdminPlace and the UserPlace.
>> My URL looks like this:
>>
>> http://127.0.0.1:8888/AdministrareBloc.html#AdminPlace:Admin
>>
>> The login form consists of username and password, where the username is
>> passed as a token to the next Place.
>> A user can't connect if he does not know the password, but let's say I'm
>> logged in like in the link above. If I change the Admin to Admin2 or
>> whatever, I still can see the page content. I don't want this. How can I
>> avoid this ?
>>
>> Thanks in advance
>>
>>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
