On Wednesday, December 21, 2011 3:18:25 PM UTC+1, EMan wrote: > > there have been several posts on RequestFactory security, but I am still > not clear. the sample code here: > > http://code.google.com/p/google-web-toolkit/source/browse/trunk/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/#gaerequest > > uses a filter to determine if a user can access the RequestFactory > service. But what happens once a user authenticates? does he have access > to all back end request? >
Yes. > ie, if I have a findById method and a findAll (for my admin users) method > in my locator, could a user authenticate, then post to either and receive > all the data in my table? > Yes. > How do we authenticate individual types of request? > Either do it at the start of each method (use RequestFactoryServlet.getThreadLocalRequest().getUserPrincipal() to get the current user). Or create a ServiceLayerDecorator and override the invoke(Method,Object...) method to add the check (probably based on some annotation on the method). I believe you could also use "standard AOP" (Spring AOP or Guice AOP, probably also AspectJ or similar) on your services. We use the second approach, it works very well. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/2lD-kfluWgcJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
