Thanks for the response... A few questions come up:
1. I'm using an HttpServlet for authentication, along with
RemoteServiceServlets for GWT-RPCs. But if I create an HttpSession in
my authentication servlet, I cannot seem to access it on the
RemoteServiceServlet... How am I supposed to access it? Example:
// In authentication HttpServlet
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
// ...
req.getSession().setAttribute("user", new User("testUser")); //
creates a session if it didn't exist beforehand
// ...
}
// In GWT RPC servlet
public List<Offer> getOffers(int productId) {
// ...
User user = (User)
getThreadLocalRequest().getSession().getAttribute("user"); // returns
null
// ...
}
2. Why are you using a MainSession singleton object? I don't see it...
Wouldn't it also fail once you have multiple users logged in at the
same time?
3. In your Main page, you're doing 2 sequential RPC calls before you
render anything: one to check logged in status, and one to load page
contents. Is this advisable or could it be avoided somehow? For
example, the server could set up a cookie with 'loggedIn=true' so that
you can skip the first RPC at least. And whenever you actually have to
fetch private content, the server can fail with a
AuthenticationException if the user is in fact not logged in. So if a
malicious user fakes the cookie to say he's logged in, the most he'll
ever see is a 'Logout' button when there shouldn't be one. Any other
place that needs to show user-specific information would still be
protected at the server. Does this make sense? What are the drawbacks
of this?
4. I assume the SessionTimeoutControl() object just sends an RPC to
the server every x seconds to check if the session is still alive or
not, correct? How do HttpSessions work across tabs and browsers? If my
user has 2 tabs open at my site, does he have 1 or 2 sessions? If it's
2 browsers?
Thanks!
On Jun 21, 6:58 pm, Bruno Lopes <[email protected]>
wrote:
> HI, maybe this peace of code can Help :) :
>
> You can use two modules/entries, one for the login other after login
>
> on login
>
> Client side:
>
> public void onModuleLoad() {
> this.setLoginPanel();
> LogUtils.info("Showing Login page");
> loginButton = new Button("Login");
> loginButton.addListener(new ButtonListenerAdapter() {
> public void onClick(Button button, EventObject e) {
> userAuthentication();
> }
> });
>
> .....
>
> private void userAuthentication() {
> if (this.userNameField.getValueAsString().equals(""))
> Window.alert("username must not be empty.");
> else {
> loginService = GWT.create(LoginService.class);
> String username = this.userNameField.getValueAsString();
> String password = this.passwordField.getValueAsString();
> this.loginService.login(username, password,
> new AsyncCallback<LoginResponse>() {
> public void onFailure(Throwable caught) {
> Window.alert("server side failure: " + caught);
> }
> public void onSuccess(LoginResponse result) {
> if (result.isLoginSuccess()){
> Window.Location.replace("./../Main.html?gwt.codesvr=
> 127.0.0.1:9997");
> }
> else Window.alert("username or password invalid.");
> }
> });
> }
> }
>
> ON SERVER SIDE (the login method):
>
> public LoginResponse login(String username, String password) {
> LoginPService loginService = ServiceLocator.getLoginService();
> Person person = null;
>
> try {
> ManageLogs.info("Try to login for user: "+username);
> person = loginService.getUserByUsername(username);
>
> if (person == null){
> return new LoginResponse(false, false);
> } else if (!loginService.checkPassword(password)){
> return new LoginResponse(false, false);
> }
>
> } catch (Throwable e) {
>
> return new LoginResponse(false, false);
> }
>
> ManageLogs.info("Login sucessful for user: "+username);
>
> LoginResponse response = new LoginResponse();
> response.setLoginSuccess(true);
>
> /*Creates de session*/
> MainSession padroesSession = mainSession.getInstance();
> mainSession.setRequest(getThreadLocalRequest());
>
> mainSession.setUser(person);
> return response;
> }
>
> THE MainSession
>
> private static MainSession mainSession=null;
>
> public static MainSession getInstance(){
> if(mainSession == null){
> mainSession = new MainSession();
> return mainSession;
> } else {
> return mainSession;
> }
> }
>
> private MainSession(){
>
> }
>
> private static final String USER_SESSION = "userSession";
> private HttpServletRequest request = null;
> private HttpSession session = null;
> private String sessionId = "";
>
> public Person getUser(){
>
> if(null == session) return null;
>
> return session.getAttribute(USER_SESSION) != null ?
> (Person)session.getAttribute(USER_SESSION) : null;
>
> }
>
> public HttpSession getSession(){
> return session;
> }
>
> public void invalidate(){
> if(request!=null)
> if(request.getSession(false)!= null)
> request.getSession(false).invalidate();
> if(null != session){
> session.invalidate();
> session = null;
> }
> setSessionId(null);
>
> }
>
> public void setUser(Person user){
> if(null == user){
> if(session!=null) session.removeAttribute(USER_SESSION);
> return;
> }
>
> if(null != request)
> this.session = request.getSession(true);
>
> if(session!=null){
> session.setAttribute(USER_SESSION, user);
> setSessionId(session.getId());
> }
>
> }
>
> public String getId(){
> return request.getSession(false).getId();
> }
>
> public HttpServletRequest getRequest() {
> return request;
> }
>
> public void setRequest(HttpServletRequest request) {
> this.request = request;
> }
>
> public String getSessionId() {
> return sessionId;
> }
>
> public void setSessionId(String sessionId) {
> this.sessionId = sessionId;
> }
>
> ....
>
> ON THE SECOND ENTRY
>
> public void onModuleLoad() {
> LogUtils.info("Loading Padroes Module");
> MainSessionServiceAsync mainSessionService =
> GWT.create(MainSessionService.class);
>
> AsyncCallback<Boolean> callback = new AsyncCallback<Boolean>(){
> @Override
> public void onFailure(Throwable caught) {
> LogUtils.debug("no session available");
> Window.Location.replace("./../Login.html");
> }
>
> @Override
> public void onSuccess(Boolean result) {
> if(!result){
> LogUtils.debug("no session available");
> Window.Location.replace("./../Login.html");
> return;
> }
>
> LogUtils.info("creating new Session Time Out for this
> session");
> /* initialize timers for session time out control */
> new SessionTimeOutControl();
>
> /* Creates de layout +/
> doLayout();
>
> }
> };
>
> try{
>
> mainSessionService.isValidSession(callback);
>
> }catch(Exception e){
> e.printStackTrace();
>
> }
>
> public void doLayout(){
> AsyncCallback<PageConfiguration[]> callback = new
> AsyncCallback<PageConfiguration[]>(){
> @Override
> public void onFailure(Throwable caught) {
> LogUtils.debug("server side error on getting
> PageConfiguration");
> Window.Location.replace("./../Login.html");
> }
>
> @Override
> public void onSuccess(PageConfiguration[] result) {
> mainPanel.setStyleName("panel-border");
> mainPanel.setFrame(true);
> .......
>
> Hope it helps :)
>
> 2010/6/21 Jaroslav Záruba <[email protected]>
>
> > You don't need to generate session ids, they are generated automatically by
> > server. You can invalidate session though, as you may notice in HttpSession
> > API. This results in new session being generated. (I'm not sure though
> > whether this happens immediately or on following http request. But that can
> > be tested easily.)
>
> > On Mon, Jun 21, 2010 at 11:17 PM, Rodrigo <[email protected]> wrote:
>
> >> Hi,
>
> >> Can someone point me in the right direction to implement a login +
> >> session system? What are the best practices? I read this page:
>
> >>http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecur...
>
> >> but am still confused about how HttpSessions are to be used, how to
> >> generate session ids, check if they're valid, etc. Any help is greatly
> >> appreciated!
>
> >> -Rodrigo
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "Google Web Toolkit" group.
> >> To post to this group, send email to [email protected].
> >> To unsubscribe from this group, send email to
> >> [email protected]<google-web-toolkit%[email protected]>
> >> .
> >> For more options, visit this group at
> >>http://groups.google.com/group/google-web-toolkit?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Google Web Toolkit" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to
> > [email protected]<google-web-toolkit%[email protected]>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/google-web-toolkit?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
