GWT and Authentication

2019-03-11 03:21发布

问题:

What are the best strategies to secure your GWT + Tomcat app to perform authentication and authorization?

回答1:

Therea are two basic strategies:

  1. secure the entry points;
  2. secure the remote services.

Secure the entry points

The simplest way is to restrict access to the html/js files generated by GWT using regular web application security tools:

  • Spring Security;
  • web.xml constraints.

This can allow you to have an e.g. AdminEntryPoint and UserEntryPoint.

Secure the remote services

If the above solution is not enough, you can dig deeper. I have done so with Spring Security. I have not found a 100% clean way of integrating Spring Security with GWT, so I added a bit of glue. Briefly:

  • created an annotation @AllowedRoles which enumerates the user roles allowed to access that service method;
  • created a UserDetailsService which allows inspection of the current user ( see the SecurityContextHolder javadoc for details);
  • created a Spring aspect which matches all methods annotated with the beforementioned annotation. It uses the service to retrieve the roles of the current user and throws a checked exception to signal an illegal access;
  • modified all service methods to throw the security exception.