Hey, My advice would be to focus more on a server side solution and not GWT (javascript). Your application server (tomcat, jetty, websphere, glassfish, jboss... or maybe even httpd - whatever you are using) would have the ability to secure url's. It also has the ability to prompt for passwords, re-direct to a login page e.t.c. You should not need to cut code for this, just configure your deployment descriptors (like web.xml) and possibly the application server.
It's difficult to answer your client-side ACL, but be careful... the only control you have on the browser is to limit what the server give's it (i.e. javascript+html) and limit what it can hit via rpc. Regarding #3... if you can hit the url (to either load the javascript/module or making an rpc service call) it means you've gotten past the appserver security - that means your javascript client is authenticated and so is your rpc callback. I hope that helps :) On Fri, Apr 30, 2010 at 9:01 PM, Yogesh <[email protected]> wrote: > Hi, > > I am trying to develop an application using GWT. > > Let us say user opens my application page (say http://host:port > /myapp/myapp.html), > I want to check if user is logged in. > if yes, my application should be loaded > else login module should be loaded. > > to check if user is logged in, I am thinking of the following > approach: > - use JSP page as my applications host page. i.e. myapp.jsp instead of > myapp.html > - using JSP, i have access to HTTPSession. i check if user is logged > in. i.e. in my case whether UserInfoDto object present in Session. > - if user is logged in, I add a JSON in my JSP containing info about > user preferences from UserInfoDto. > say <script> var userinfo = {lang: en, loggedIn: true, > loggedInUser:[email protected] <loggedinuser%[email protected]>}; </script> > - In my application's onModuleLoad(), i check if useinfo JSON is there > and loggedIn is true. (using userInfo as Dictornary) > if loggedIn is true, I load my application > else I load Login Module in the host page. > > Questions: > 1) when i know user is not logged in, should I load Login module or > should I redirect user to login page? This login page will be another > GWT module with its own Entry Point. > I keep thinking, that redirecting to Login page is better for security > point of view. because doing so, I think it is ensured that my > application's JavaScript Code is not downloaded unless user is logged > in. > 2) Also, with the above approach, I am bundling together Login module > and my application main module. So, both get downloaded whether user > is logged in or not. I dont know if its possible, but may be someone > can just change the value of 'loggedIn' in JSON to true and refresh > the page/do something which will cause the application to get loaded > (as the code is already downloaded for both logged in and not logged > in scenarios) without user being logged in. > 3) I would like to know if is there any other approach to implement > the check whether user is logged in or not? > > Thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-web-toolkit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
