GWT RPC Cookie authentication

I'm using gwt on my glassfish server, and I'm attempting to make some of my RPC calls authenticated via cookies. Is开发者_开发百科 this possible? Are there any examples out there of how to code it?

Depending only on the cookie for authentication will make your website/services vulnerable to Cross-Site Request Forging/XSRF/CSRF attacks - read more on that in Security for GWT Applications.

The best way would be to double check the value you get from the cookie and with the one that's been transported to the server by some other means - as part of the request (header, a custom field, etc).

Other than that, there are many tutorials covering the subject - just search for Java (servlet) authentication - it doesn't have to be GWT-specific. The Google Web Toolkit Group also has many threads about the subject.

I assume that you use GWT's RPC servlet for handling requests made by the client.

One option that comes to my mind is to write and configure a ServletFilter which can examine the cookie, before the request reaches GWT's servlet.

You might rethink using cookies as it is a potencial security hole. Why not put your communication to HTTPS?

Can you not just use the standard 'session' scope, i.e.

request.getSession()

A pattern I use in GWT apps is to have a separate 'old fashioned' login form which sets up the session. The GWT app's host page is then displayed after they have successfully logged in.

If the necessary values aren't in the session, then the user isn't logged in. Your service should return an exception, maybe, which instructs the GWT app to redirect to the login page, or display an error.