GWT 2.0 integration with Spring Security 3.0

I used GWT 2.0 since a few days. So, I try to code an basic application with a login form and a page accessible only if i am logged.

Usually in my web application with jsf for example, I use Spring Security 3.0 to configure and secure that kind of application. So, I decided to try to do the same thing with my GWT 2.0 application.

I've well configured the server part of Spring Security. So from my GWT login page, I can enter my login/password and the authentication via Spring Security is performed. The redirection to the secured page is done and I can get the connected user via an rpc call to security service that uses the SecurityContext of Spring Security. So, I think that part is ok.

But, I have got a big problem to secure urls. Indeed, I would like to secure the page to restrict access to specific Role like I do with Spring Security usually.

In my GWT application, I use MVP pattern with central application controller. So, I have got only one page and for that page I'm going to differents views when adding #name_of_view to the end of the URL. For example, to access to my login page in development mode, I use the following URL on my browser :

http:// 127.0.0.1:8888/fr.myapp.Application/Application.html?gwt.codesvr=127.0.0.1:9997#login

Once i am correctly logged, I'm going to the following view :

http:// 127.0.0.1:8888/fr.myapp.Application/Application.html?gwt.codesvr=127.0.0.1:9997#pagesecured

Because of that, I don't know how to configure the http tag in Spring Security and how to define URL to intercept to affect them specific roles to restrict开发者_StackOverflow社区 access. Furthermore, I think there will be a problem to use these URL between development mode and a classic production mode. No ?

So, someone would have any idea to help me to configure and secure my application using these URLs ? or by using an other technic to secure application with form login ?

Thanks by advance for your help.

Sylvain.

You can't use page-level security in this scenario, because your views are being changed at the client-side.

The only way to implement a role-based security in such kind application is to use a method-level security in your server-side code. You may also restrict access to your Application.html for non-authenticated users by you creating a spearate non-GWT login page (say, Login.html).

Agree with @axtavt - In general, you can't use page level security with GWT, because it only is a single page as far as spring security is concerned.

You should do the following -

1. Secure your RPC URLs. If required, you can use method level security as axtavt pointed out. To hook up RPC with Spring Security, override the onAfterRequestDeserialized(RPCRequest) method in your RPC Servlet. The RPCRequest method has details about the method being invoked and the actual parameters that are being passed to that method. This information is sufficient to prevent one user from updating the records of another user.

2. In case of an authentication or authorization error in your RPC service, throw appropriate errors and send them to the client. In your client, create a centralized error handler and show the appropriate message to the user.

3. And finally, in addition to spring security, you may want to protect yourself against XSS and CSRF. Refer to Security for GWT Applications for additional information.

Have a look at my blog post, http://technowobble.blogspot.com/2010/05/gwt-and-spring-security.html for a sample application that integrates GWT and Spring Security. Hopefully, it will give you some ideas on how to implement your specific needs.

You can use page level security, as your GWT module can be shared by two pages using the method discribed by rustyshelf here: Problem with multiple entry Points in the same module.

In summary:

1. Create a page, e.g. Login.html, which will only use the token login, allow anyone to access it and for example it should contain a div tag with the ID login.
2. Use Application.html, with a div tag with the ID application, which will be for everything else and make sure that it won't allow the use of the login token and deny access to any unauthenticated users.
3. Have your GWT module load the appropriate view according to the div tag that is on the page.

The divs in each of the HTML files should be use just to work out which HTML page is going to be displayed (in onModuleLoad), but the div should then be removed, as the rest of the application should not rely on the presence of the div.

You should also use method security to secure your RPCs, as the above will just secure the URL that most of your application will work from.

I just completed writing an article on how to integrate GWT with Spring security without having the need to use a JSP page.

You can check this in here : http://crazygui.wordpress.com/2014/08/29/secure-rest-services-using-spring-security/ I also posted a working example on GitHub.