User roles in GWT applications

I'm wondering if you could suggest me any way to implement "user roles" in GWT applications. I would like to implement a GWT application where users log in and are assigned "roles". Based on their role, they would be able to see and use different application areas.

Here are two possible solution I thought:

1) A possible solution could be to make an RPC call to the server during onModuleLoad. This RPC call would generate the necessary Widgets and/or place them on a panel an开发者_Python百科d then return this panel to the client end.

2) Another possible solution could be to make an RPC call on login retrieving from server users roles and inspecting them to see what the user can do.

What do you think about?

Thank you very much in advance for your help!

Another way is to host your GWT app in a JSP page. Your JSP might contain a snippet of code like this

<script type="text/javascript">
var role = unescape("${role}");
</script>

Where ${role} is expression language expanded from value you computed from the associated servlet / controller and exposed to the JSP.

When your GWT app runs in the browser, the value will be filled out. Your GWT app can easily call out into JS to obtain this value from a native method call, e.g.

public native String getRole() { /*-{ return $wnd.role; }-*/;

So your module could invoke getRole(), test the value and do what it likes to hide / show elements.

Obviously your backend should also enforce the role (e.g. by storing it in the session and testing it where appropriate) since someone could run the page through a JS debugger, setting breakpoint or similar that modifies the value before it is evaluated allowing them to access things they shouldn't be accessing.

Following scenario works for me:

1. GWT app is behind security constraint.
2. On module load I make RPC call to retrieve roles from the container. I store them in main GWT module's class as static field, to make it easy for other classes to use it.
3. Each widget (especially menu) can use roles (e.g. call Main.getRoles()) and construct itself according to roles. I don't pass roles in constructor. Each widget knows how to behave depending on role.

If it's crucial to not only hide things but also enforce them you can use container security and check roles and rights while invoking business methods.

While using GIN you can also create singleton class to store roles retrieved during login and inject it wherever you need it.