> I'm writing a web app using GWT and GAE (Java). I know GAE pretty
> well, especially the Python version; I'm new to GWT and the Java
> version of GAE.
Uuugh, an evil GAE python user who always gets features before us Java
users. ...just kidding...
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/MyApp.html</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> Given the app.yaml configuration (which seems to correctly generate
> the web.xml) to not even let the user see the page unless they are
> logged in, how is it possible for that to even happen?
I don't think it is, is it?
I don't use security-constraint for that purpose.
For login and rpc authentication, I run a servlet filter.
Here's snippets from web.xml:
<web-app>
<context-param>
<param-name>gwt.xsrf.session_cookie_name</param-name>
<param-value>JSESSIONID</param-value>
</context-param>
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>com.myPackage.AuthenticationFilter</filter-class>
</filter>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>session-cleanup</web-resource-name>
<url-pattern>/_ah/sessioncleanup</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>my-app</web-resource-name>
<url-pattern>/_ah/mail/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>
Here's my logic:
(client side) in onModuleLoad()
if no JSESSIONID cookie present, display login which makes an rpc call
to an authenticationService
if cookie present, send request
(severside) in AuthenticationFilter doFilter
if JSESSIONID valid - allow request to desired page -- simply:
chain.doFilter(request, response);
if no JSESSIONID allow call to authenticationService after checking to
make sure it's a login rpc call : if ((HttpServletRequest)
request).getRequestURI().equals(login_uri))){ ...
if not authenticated by that call, return to client via rpc return and
redisplay login -- if authenticated return to client and proceed with
app
if not authenicated and not a call to authenticationService, allow if
it's a devServer call to access the datastore (this is just
convenience, and not necessary if you don't browse local data)
if none of the above, send a HttpServletResponse.SC_EXPECTATION_FAILED message.
Anyway, at the time of writing there wasn't a simple way to do
authentication by simply configuring yaml. I'm not sure if this has
changed or what pre-baked options are available.
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
