Conditional rendering (i.e. hiding certain UI) would have to be done manual or using something like Acris or Errai Workspace: http://www.jboss.org/errai/Components/Workspaces.html. At the end of the day, unless you're adding additional generator conditions to strip non-admin parts based on authority, there's not much you can do to prevent the user from opening firebug or web inspector and looking at all your hidden elements. Spring Security (AFAIK) strips out the conditionally rendered pieces because it sends back the entire page (web 1.0 style). So your options are as follows:
1) pull out the permissions from Spring Security, store it client side and do conditional rendering yourself by hiding ui pieces. 2) use a framework like Acris or Errai workspace. 3) build out some custom UIBinder parsers and some generators to physically remove the conditionally rendered parts, then modify the selector script to pull the appropriate generated files based on authentication. The last option is going to be a huge amount of work and really doesn't give you additional benefit. The user can be as malicious as they want on the client side (unhide admin functionality) as long as you never trust anything that comes from the client side. -- Arthur Kalmenson On Tue, Jul 20, 2010 at 6:46 PM, seanrocket <[email protected]> wrote: > I am running GWT2.0.4 and Spring Security 3.03. > > I am able to authenticate with Spring Security but have not found a > good way to conditionally render Widgets and Panels based on ROLES > from Spring Security. > > For example: In the StockWatcher program, if a user has a ROLE_ADMIN > then I want to allow that person to add a addPanel. But If the user > has a role such as ROLE_GUEST who is not a ROLE_ADMIN, that user > should not see the panel > > I would like to do something like: > public void onModuleLoad() { > ..... > // Assemble Main panel. > mainPanel.add(stocksFlexTable); > if(SpringSecurityRole == "ROLE_ADMIN"){ > mainPanel.add(addPanel); > } > mainPanel.add(lastUpdatedLabel); > ...... > } > I know UI conditional rendering can be easily accomplished using jsp > and the Spring Security tags (as shown below). But we don't want to > use jsp > > <sec:authorize access="hasRole('ROLE_ADMIN')"> > <input type="submit" value="Add" /> > </sec:authorize> > > I have searched gwt forums , google groups and other GWT book forum > and Spring book forums and have not found a good solution. > > I've tried the acris security > http://code.google.com/p/acris/wiki/Introduction > but the roles don't seem to come from Spring Security but rather its > own implementation. It uses Spring Security for server side security > not UI conditional rendering. UI conditional rendering ROLES come from > its own filter > sk.seges.acris.security.server.SessionRemoteServiceFilter and user > define Grants interface. > > I've also tried gwt-incubator lib > http://code.google.com/p/gwt-incubator-lib/ but that seems to only > cover authentication and no conditional rendering. > > I've seen some news feed about calling back to Spring Security but > didn't know how to accomplish the actual calls. > > DoCheckUserAuth checkAuth = new DoCheckUserAuth(); boolean b = > checkAuth.askServerAboutUser(); > if(b){ > RootPanel.get("formPoint").set(new PrivateForm);} > else > { > RootPanel.get("messagePoint").set(new Label("Please, pass > authorization")); > > Your help is much appreciated > > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
