Hi All, I think spring security uses 'Jaas' although I haven't checked. In the past I have written 3 different Jaas modules for different companies, and I am working on a 4th Jaas product to sell that is specifically designed for GWT. Basically you call the Jaas login code in your login rpc or regular http url call over ssl (https), then you stick the Jaas Subject (User object) in the Servlets Session. Then you have some sort of filter (HttpFilter or better yet Override of RPC Servlet) to check if the user is in the role necessary to do something. You can use a Http Filter (I think spring does this), or better yet take a look at the comments in this class; http://cvs.adligo.org/viewvc/adi_gwt_rpc_servlet/src/org/adligo/i/adi/server/rpc/AdiControllerServlet.java?view=markup
Cheers, Scott On Mar 5, 9:40 pm, Arthur Kalmenson <[email protected]> wrote: > I can't comment about JAAS, but we use Spring Security for > authentication and authorization here. I think the concept would apply > to any security framework. You first need to authorize users, for > which there are a number of solutions. Spring Security comes with an > authentication servlet that you can submit data to by using a > FormPanel. Another approach (the one we're taking), is to use standard > GWT-RPC to send a User object to the server and authenticate that. > > After you have the user authenticated, you want to authorize them to > enter specific areas. This has to be done manually in GWT. We handle > client side authorization in our HistoryListener implementation (we > have a little framework to handle history changes), but it's > non-the-less a manual process where you have to get the current user > from the server (you can't trust what the client is carrying), and > depending on the user's permissions, determine if they can view the > specific area. > > However, in the end, this doesn't really protect you because the user > can still modify the User object or can forge requests to your > servlets. Therefore, to restrict specific server side services, you > need to implement method based security. I'm not sure how it works in > JAAS, but in Spring Security you just annotate your methods with > @Secured("ROLE_ADMIN") and only admins can execute the secured method. > > Hope that helps! > > -- > Arthur Kalmenson > > On Thu, Mar 5, 2009 at 10:28 AM, tjmcc18 <[email protected]> wrote: > > > I've seen several posts regarding using JAAS with GWT, but not a lot > > of answers. I'm trying to wrap my brain around how to use these two > > technologies together to perform user authentication and > > authorization. > > > The concept of using JAAS authentication with GWT seems straight > > forward enough. I can create a custom LoginModule that verifies the > > login information. But how would I then do authorization? For > > example, lets say I have a GWT servlet that I want to restrict to > > admin users? > > > Has anyone done something like this before? Any general thoughts on > > how to do this or a better way to do authentication/authorization with > > GWT would be appreciated. Thanks, > > > -TJ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
