Dealing with session timeout and container managed security

Fri, 27 Feb 2009 23:26:11 -0800 

Is there some consensus or best practice in the GWT community as for
how to deal with session timeout and container managed security? There
are some pointers if you search for this subject, but some of the
ideas are wild...

In my case I use the Servlet container's built in security features
for authentication as described in the Servlet specification. Hence,
in my web.xm I protect access to the GWT application like so:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>my app</web-resource-name>
      <url-pattern>/app/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/public/login.jsp</form-login-page>
      <form-error-page>/public/login.jsp?retry=true</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
    <role-name>*</role-name>
  </security-role>

So, the application (host/bootstrap page, RPC Servlet, etc.) is in the
"app" folder and the login form (login.jsp) is in the "public" folder.
This works flawlessly except for the session timeout use case.
The application sends an RPC request to /app/AppServlet, the Servlet
container requires authentication because the session had timed out
and dutifully *forwards* to the login page. Hence, the result of the
request is not some RPC/JSON/XML object as expected by the client but
the login page HTML structure. The client simply isn't prepared for
that and freezes i.e. doesn't do anything.

I believe that on the server side everything is set up correctly. If
the session timed out the requests don't even reach the RPC Servlet
because it's intercepted by the container, fine.

But how do you deal with this in the client?
Should one write some custom AsyncCallback class that handles the
reponse sent by the container?

Thanks for your feedback.
Marcel
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to