I have maven GWT 1.5 project split into few parts. One of them is WAR
with client side and other is WAR with server side included in some
EAR application. There is also some JAR wich is proxy between client
and server, i mean client and server do not see each other, but they
are dependent of this JAR so all common classes and f.e. RPC
interfaces are defined there.
I defined SecurityException in this JAR:
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
package pl.fizzycomp.client.common;
import com.google.gwt.user.client.rpc.IsSerializable;
import java.util.ArrayList;
import java.util.List;
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
package pl.fizzycomp.client.common;
import com.google.gwt.user.client.rpc.IsSerializable;
import java.util.ArrayList;
import java.util.List;
public class SecurityException extends Exception implements
IsSerializable {
//CONSTRUCTORS HERE
/**
* User name of user that didn't have persmission
*/
private String userName;
/**
* Set of examined and not found roles
*/
private List<String> rolesExamined = new ArrayList<String>();
/**
* Adds role to @see rolesExamined
* @param roleName role to add
*/
public void addRole(String roleName){
rolesExamined.add(roleName);
}
/**
* Adds roles to @see rolesExamined
* @param roleName list of roles to add
*/
public void addRoles(List<String> roleNames){
rolesExamined.addAll(roleNames);
}
/**
* @return @see rolesExamined as a String
*/
public String getRolesExamined() {
return rolesExamined.toString();
}
/**
* @return @see userName
*/
public String getUserName() {
return userName;
}
/**
* Sets @see userName to given value
* @param userName value
*/
public void setUserName(String userName) {
this.userName = userName;
}
/**
* Returns message of the exception and values of @see userName
and @see rolesExamined
* @return
*/
public String toString() {
return super.toString() + "; user: " + userName + ", examined
roles: " + rolesExamined.toString();
}
}
All RPC methods that throws SecurityException and their synchronous
interfaces declare this fact in the throws phrase.
This exception I wanna catch and service (by writing info to the log
and database table) in an aspect manner on the server side before it
reaches client side and is silenced by the one trying to break
security policy.
So I declared in web.xml on the server WAR:
<!-- This filter handles the
pl.fizzycomp.client.common.SecurityException -->
<filter>
<filter-name>SecurityExceptionFilter</filter-name>
<filter-class>pl.xxx.server.filter.SecurityExceptionFilter</
filter-class>
</filter>
<filter-mapping>
<filter-name>SecurityExceptionFilter</filter-name>
<url-pattern>/services/*</url-pattern>
</filter-mapping>
And the code of the filter:
public class SecurityExceptionFilter implements Filter {
private FilterConfig filterConfig = null;
private static Logger log = Logger.getLogger
(SecurityExceptionFilter.class);
@EJB
private ErrorCodesFacadeLocal errorCodesFacade;
@Override
public void init(FilterConfig config) throws ServletException {
this.filterConfig = config;
}
@Override
public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain) throws IOException, ServletException {
if (filterConfig == null){
return;
}
try {
System.out.println("+++++++++++++++
SecurityExceptionFilter");
System.out.println(request.toString());
System.out.println
("---------------------------------------");
System.out.println(response.toString());
System.out.println("++++++++++++++++++++++++++++++++++++++
+");
chain.doFilter(request, response);
}
catch (Throwable t){
log.fatal("Security violation attempt occured. Event will
be written to ERROR_CODES table.", t);
//TODO - database stuff
}
}
/*
private SecurityException examineSecurityException(final Throwable
t){
Throwable temp = t;
while (temp != null){
if (temp instanceof SecurityException){
return (SecurityException) temp;
}
temp = temp.getCause();
}
return null;
}
*/
@Override
public void destroy() {
this.filterConfig = null;
}
}
Then I declared RPC method:
public List<IPersonWindowMember> doAdvancedPersonSearch
(IAdvancedPersonSearchParameter apsp) throws SecurityException
{
if (true){
SecurityException e = new SecurityException
("testsecurityex");
e.setUserName("username");
e.addRole("role1");e.addRole("role2");
throw e;
}
}
I built and deployed application, pushed the button that calls this
RPC service and this is output:
+++++++++++++++ SecurityExceptionFilter
uri: /nserver//services/memberPersonService
method: POST
QueryString: null
Parameters:
Headers:
Name: host Value: localhost:8080
Name: user-agent Value: Mozilla/5.0 (X11; U; Linux
i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.04 (hardy) Firefox/
3.0.8
Name: accept Value: text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Name: accept-language Value: en-us,en;q=0.5
Name: accept-encoding Value: gzip,deflate
Name: accept-charset Value:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
Name: keep-alive Value: 300
Name: connection Value: keep-alive
Name: content-type Value: text/x-gwt-rpc; charset=utf-8
Name: referer Value:
http://localhost:8080/npublisher/pl.xxx.Application/DE480B14B2E81DAED566DAB049C24946.cache.html
Name: content-length Value: 792
Name: cookie Value:
JSESSIONID=88a931414f309d3f51c9a20beb8b
Name: pragma Value: no-cache
Name: cache-control Value: no-cache
---------------------------------------
org.netbeans.modules.web.monitor.server.monitorresponsewrap...@f1057
+++++++++++++++++++++++++++++++++++++++
PWC1412: WebModule[/nserver] ServletContext.log():ERROR: The module
path requested, /npublisher/pl.xxx.Application/, is not in the same
web application as this servlet, /nserver. Your module may not be
properly configured or your client and server code maybe out of date.
PWC1412: WebModule[/nserver] ServletContext.log():WARNING: Failed to
get the SerializationPolicy 'F552218E9F3DAC5D49701255C8F4130B' for
module 'http://localhost:8080/npublisher/pl.xxx.Application/'; a
legacy, 1.3.3 compatible, serialization policy will be used. You may
experience SerializationExceptions as a result.
Filter was activated by the service but it didn't catch the Exception.
The exception came to a client and I received its text in a
messagebox: RPC error: pl.xxx.client.common.SecurityException:
testsecurityex; user: username, examined roles: [role1, role2].
>From few days I'm trying to find out what's wrong and I'm stucked.
Once i did the same thing on JSF application and it worked great now I
can't get it to behave properly. This is when I ask you for help :)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
