I have implemented something similar using a filter.
In the doFilter, you can cast the ServletRequest parameter to an
HttpServletRequest.
You will then have access to cookies and the container's session.
For example,
HttpServletRequest hRequest = (HttpServletRequest)request;
Cookie[] cookies = hRequest.getCookies();
hRequest.getSession().setAttribute("someattr", object);
(MyObject)myObject = hRequest.getSession().getAttribute("blap");
You could store your sessionid in a cookie, or in the container
session.
This can provide a pretty decent auth mechanism, I think.
1. My filter takes an initialization parameter, named "requiredrole".
If set, then the user must have that role or else the request is
denied or redirected or whatever.
2. If you use a cookie to send the sessionid, you can get it back
using hRequest.getCookies().
3. You can avoid sending your own sessionid to the client altogether,
and instead, store it in the container's session if you wish, using
hRequest.getSession().setAttribute().
(that is dependent on the container's session cookie coming from the
browser.)
You can stop there can continue on your way...
The following is some detail on how I have used this to create my own
login filter.
As for the user logged in, I have implemented a class that implements
java.security.Principal,
This must implement getName(). To that I added a set of roles.
public class MyPrincipal implements Principal
{
String name;
Set<String> roles = new HashSet<String>();
etc...
public String getName() { return name; }
public boolean isUserInRole(String role) { return roles.contains
(role); }
}
Additionally, I have a class that extends HttpServletRequestWrapper.
private class UserPrincipalRequestWrapper extends
HttpServletRequestWrapper
{
MyPrincipal p;
public UserPrincipalRequestWrapper(HttpServletRequest arg0,
MyPrincipal p)
{
super(arg0);
this.p = p;
}
public Principal getUserPrincipal()
{
return p;
}
public boolean isUserInRole(String role)
{
return p.isUserInRole(role);
}
So! How does this all work?
- A request comes in to the filter.
- The filter looks in the container session for a MyPrincipal object
- If not found, then redirect to the login page
- If found, then
- if requiresRole is set, verify the MyPrincipal object has that
role.
- create a UserPrincipalRequestWrapper using that MyPrincipal object
- call chain.doFilter(wrapper, response);
The login page is therefore required to assign a MyPrincipal object to
the session using
hRequest.getSession().setAttribute("principal", new MyPrincipal(...));
Inside the Servlet method, I can then call the standard auth methods,
for example:
// Get the request inside GWT servlet
HttpServletRequest request = getThreadLocalRequest();
request.getUserPrincipal();
request.isUserInRole("admin");
Finally, in my web.xml, I initialize multiple filters, with
requiredRole set to different things; I then apply that to different
servlets.
EG., I have a servlet for admin functions, and another for user
functions.
For bonus points, you can implement a persistent cookie (random
number?) that will reload the MyPrincipal into the container session,
if the container session does not already have one. This is to
support 'log in for two weeks' feature of many popular email sites for
example.
Well there you go, more detail than you ever needed to know...
Jamie.
-----------------------
Search for analog and digital television broadcast antennas in your
area:
http://www.antennamap.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
