On Thursday, March 3, 2011 4:16:40 PM UTC+1, KaffeineComa wrote: > > Hey Google GWT developers, could we get a response to this question please? > You've created this elaborate editors framework that lots of people are > trying to adopt, but there seems to be no way to secure it on the server > side. > > Without any server-side checks, attackers are free to query, modify and > persist entities as they see fit. This is a really serious problem. > > Maybe there is an obvious solution and I've been too dumb to find it. I've > looked through the documentation, examples and even the source and haven't > been able to solve this. We'd all be happy to RTFM, if you could give us a > pointer. > > It's indeed easy and rather obvious. If you look at the Expenses sample, you'll see how they do it using GAE to authenticate the user, but the overall mechanism is "portable" to any environment.
First, you need a way to intercept requests to the RequestFactoryServlet to check the user is authenticated: this is the role of a servlet Filter (or you can extend RequestFactoryServlet and override the service() or doPost() method) Next, you have to communicate to the client that the user is not authenticated (important in case the session times out, for instance): it's up to you to choose your "protocol", but a response.sendError(HttpServletResponse.SC_UNAUTHORIZED); will be enough. Finally, sending the info the client is one thing, but the client has to handle it: this is the role of the RequestTransport that you can pass to RequestFactory's initialize() method. Just inherit DefaultRequestTransport and wrap the RequestCallback from super.createRequestCallback to handle getStatusCode()==401 (or whatever "protocol" you chose above) and do whatever you want (dispatch an event on your application's EventBus, redirect to the login page, simply do a Window.alert() and let the user refresh the page after they "backed up" their data using copy/paste to the Windows Notebook, etc.) I'm sure I've already written all of this here (last month?), unfortunately I can't find it. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
