In our application, I have built a proof concept for this type of requirement. First, we are using GWT 2.0/GXT2.0.1 and UIBinder. I have built custom parsers for UIBinder to support GXT widgets wrapped under a composite. These extended widgets have a secure method that takes a string of comma delimited role that are allowed to see the widget/composite. There are 3 policies available for secure; hide, disable, unallowed. The unallowed one is interesting for component like a GXT window. Also, we have abstracted the concept of a page which is a composite backed by a UIBinder xml for the layout. Finally, we have annotation used for defered binding which enforce the security for the page composite. Our html page has been changed for a JSP to include some logic in it and is secured in the web.xml for a given set of roles. These roles are also defined in a Enum. We have a concept of a UserContext which holds all the roles of a given user as well as some specific of the user such as profile. As soon as the user access the url of the page, you will need to authenticate (BASIC, FORM, CERTIFICATE). Once the page is served, we serialize (cache) the user context in the page for retrieval on the client side using the pattern found on the internet (do not remind the link). The trick is to iterate through your roles defined in the Enum and perform a check against the isUserInRole of the request. If it returns true, you add it to the UserContext. Once on the client side, our framework checks the user context roles against the one provided on the widget. It changes the state based on the policy selected all this before the composite is attached to the browser.
This will provide different rendering (for example menuitem) based on the user that is logged in. We have a lot more in our proof concept such a MVC that is using annotation and defered binding mostly to further enforce security but that gives you an idea of how it could be structure. On 3 oct, 09:12, Brian <[email protected]> wrote: > What's the most standard way of getting the user principal and roles > onto the client side of my GWT application? I know I'll need to check > every one of the reads and writes on the server side because relying > on cient side objects is not secure. However, I want to present just > the valid GUI objects on the client side. Some tabs I want certain > users to have but not others. Same for certain buttons. I don't mind > so much if the client side can reverse engineer and see all the hidden > GUI components as long as the general users are presented with the > appropriate screens. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
