How manage authorization and authentication? 2011/8/11 sunny...@gmail.com <sunny...@gmail.com>
> Hi all, > > I have an application that's been in use for the last 6 months or so > and will be going into production <2 months. I've now see two > instances of the problem described below and I'm fairly lost on how it > could possibly happen. > > The client first needs to login. When the server authenticates the > credentials sent by the client, the server returns a User object which > has a subset of the user's properties (a 'light' user object), plus > the session ID as retrieved on the server by calling > getThreadLocalRequest().getSession().getId(). The server keeps a > hashmap of session IDs against a fully populated user object (which > includes their permissions properties amongst other things). > > Whenever a client accesses a GWT-RPC that should be protected, one of > the parameters of the RPC is the light user object that the client has > received from the server. The server authenticates this by: > 1) Using HttpServletRequest.isRequestedSessionIdValid() > 2) Comparing the session ID sent by the client (as stored in the light > user object) and the one stored by the server's hashmap, and the one > sent in the RPC's getThreadLocalRequest().getSession.getId(). Any > inconsistency between the three raises an exception. > > Recently, the second occurrence of a weird error happened: > > The client has a timer which fires one of these RPCs every 5 seconds > to refresh a table. This works really really well - we're using > SmartGWT to have a grid that loads new data without the need to > flicker or refresh (new rows simply appear, or existing rows update > their data every 5 seconds). > > On this RPC's callback onFailure I just give a generic message with a > caught.getMessage() appearing in a popup. > > I've had two instances reported by two different users on two > different computers now (but both Chrome) this page has shown a popup > showing my generic error, but the contents of the error is actually an > error page ****from another website****. Its almost as though GWT made > the RPC call to the wrong server! (the user sent me a screenie, and > surely in my popup there's a 403 error from the gov website) > > This completely blows my mind. > > Both instances the error was from a different website (one was a horse > racing site, one a government site). I haven't been able to confirm > yet whether the users were actually on those sites at any stage or > whether there were cookies from those sites (also note I do not > specifically use the Cookies class, and I can verify in Chrome that > the JSESSIONID cookie is set with the correct domain and path). > > I haven't been able to replicate this either. I'm open to any > suggestions on how this could be possible. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-toolkit@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.