I can't comment about JAAS, but we use Spring Security for
authentication and authorization here. I think the concept would apply
to any security framework. You first need to authorize users, for
which there are a number of solutions. Spring Security comes with an
authentication servlet that you can submit data to by using a
FormPanel. Another approach (the one we're taking), is to use standard
GWT-RPC to send a User object to the server and authenticate that.
After you have the user authenticated, you want to authorize them to
enter specific areas. This has to be done manually in GWT. We handle
client side authorization in our HistoryListener implementation (we
have a little framework to handle history changes), but it's
non-the-less a manual process where you have to get the current user
from the server (you can't trust what the client is carrying), and
depending on the user's permissions, determine if they can view the
specific area.
However, in the end, this doesn't really protect you because the user
can still modify the User object or can forge requests to your
servlets. Therefore, to restrict specific server side services, you
need to implement method based security. I'm not sure how it works in
JAAS, but in Spring Security you just annotate your methods with
@Secured("ROLE_ADMIN") and only admins can execute the secured method.
Hope that helps!
--
Arthur Kalmenson
On Thu, Mar 5, 2009 at 10:28 AM, tjmcc18 <[email protected]> wrote:
>
> I've seen several posts regarding using JAAS with GWT, but not a lot
> of answers. I'm trying to wrap my brain around how to use these two
> technologies together to perform user authentication and
> authorization.
>
> The concept of using JAAS authentication with GWT seems straight
> forward enough. I can create a custom LoginModule that verifies the
> login information. But how would I then do authorization? For
> example, lets say I have a GWT servlet that I want to restrict to
> admin users?
>
> Has anyone done something like this before? Any general thoughts on
> how to do this or a better way to do authentication/authorization with
> GWT would be appreciated. Thanks,
>
> -TJ
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
