What are the best strategies to secure your GWT + Tomcat app to perform authentication and authorization?
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
Therea are two basic strategies:
- secure the entry points;
- secure the remote services.
Secure the entry points
The simplest way is to restrict access to the html/js files generated by GWT using regular web application security tools:
- Spring Security;
- web.xml constraints.
This can allow you to have an e.g. AdminEntryPoint
and UserEntryPoint
.
Secure the remote services
If the above solution is not enough, you can dig deeper. I have done so with Spring Security. I have not found a 100% clean way of integrating Spring Security with GWT, so I added a bit of glue. Briefly:
- created an annotation
@AllowedRoles
which enumerates the user roles allowed to access that service method; - created a
UserDetailsService
which allows inspection of the current user ( see the SecurityContextHolder javadoc for details); - created a Spring aspect which matches all methods annotated with the beforementioned annotation. It uses the service to retrieve the roles of the current user and throws a checked exception to signal an illegal access;
- modified all service methods to throw the security exception.