I find Spring Security to be a viable and simple solution to use while giving you a range of possibilities for both Authentication and Authorization. You get exactly that "method to add the check (probably based on some annotation on the method)." as one of the options.
See: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html 2.4 Method Security Under the hood I believe it gets implemented using AOP as Thomas pointed out. Just in this case you are not implementing it yourself and if tomorrow you decide to support multiple authentication mechanisms, etc ... you just add them. The framework is extremely flexible. Regards, Alfredo On Wed, Dec 21, 2011 at 9:38 AM, Thomas Broyer <[email protected]> wrote: > > > On Wednesday, December 21, 2011 3:18:25 PM UTC+1, EMan wrote: >> >> there have been several posts on RequestFactory security, but I am still >> not clear. the sample code here: >> http://code.google.com/p/**google-web-toolkit/source/** >> browse/trunk/samples/expenses/**src/main/java/com/google/gwt/** >> sample/gaerequest/#gaerequest<http://code.google.com/p/google-web-toolkit/source/browse/trunk/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/#gaerequest> >> >> uses a filter to determine if a user can access the RequestFactory >> service. But what happens once a user authenticates? does he have access >> to all back end request? >> > > Yes. > > >> ie, if I have a findById method and a findAll (for my admin users) method >> in my locator, could a user authenticate, then post to either and receive >> all the data in my table? >> > > Yes. > > >> How do we authenticate individual types of request? >> > > Either do it at the start of each method (use > RequestFactoryServlet.getThreadLocalRequest().getUserPrincipal() to get the > current user). > Or create a ServiceLayerDecorator and override the > invoke(Method,Object...) method to add the check (probably based on some > annotation on the method). > I believe you could also use "standard AOP" (Spring AOP or Guice AOP, > probably also AspectJ or similar) on your services. > > We use the second approach, it works very well. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-web-toolkit/-/2lD-kfluWgcJ. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > -- Alfredo Quiroga-Villamil AOL/Yahoo/Gmail/MSN IM: lawwton -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
