1.)
On the backend (servelet/JSP) you can check if the the user is
authenticated and if he is you can render it as a javascript variable (var
user={'name':'John','role':'ADMIN'} in your html/jsp host page.
Then in your GWT client app you can read this variable. This way you don't
need any backend call to check if the user is logged in and it works no
matter which URL he navigates to (because the host page is loaded every
time the user refreshes his browser).
You can store the Userinfo in a global singleton and access it from your
presenters to check it.
2.) The JSessionId is only for protecting agains XSRF attacks (see here:
http://code.google.com/p/gwt-platform/wiki/GettingStartedDispatch#Protecting_against_XSRF_attacks).
It's independent of your application/user session management.
You don't need to manually transmit anything from the GWT client when you
use server side sessions, because that is done for you. You only have to
check on the backend if the user session is still valid.
3.) It's an anti-pattern for restful services to deploy server side
session. However if you don't care too much about violating this principle
you can still use server side sessions like in traditional web
applications.
Usually with restful services you have to transmit a secure token or the
user credentials in every single backend call. You can also use OAuth.
On Thursday, June 21, 2012 8:54:34 AM UTC+2, Santosh wrote:
>
> I have few basic questions on session management in GWTP.
>
> 1. Now, we create a new session when the user logs in to application.
> Now, I can open a browser and type in the app url with a token
> directly without logging in. It will render the UI page to user
> without any checks. Now, we have session checks in server side. So if
> the UI page make s a server call on rendering then only, I will get to
> know session is not valid and i can redirect him to login page. But,
> how do we handle the cases where UI page does not have any server side
> logic and user directly paste the URL with that token.
> Do I have to make a server call on every page request from GWTP
> presenter just to check session is valid? or do we have any other
> approaches to it?
>
> 2. I am not passing any explicit session id param from GWT Client to
> server. Its only the JSessionId getting passed automatically from
> browser to server. We just do request.getSession() in server and see
> if it is null or not(Not logged in if null). So I hope we dont have
> any security issues with this. Please confirm.
>
> 3. With GWT client running on android and server side logic exposed as
> Restful Web services using Jersey, how do we maintain session because
> Restful WS are stateless. Now how do we achieve user session in this
> case?
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/google-web-toolkit/-/oekj7i7frsUJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
