How to handle security constraints using GWT 2.1's RequestFactory?

Question

I am currently developing a GWT 2.1 application that is to be deployed on Google App Engine. I would like to realise the server communication using the new RequestFactory.

Now my question is how to handle fine-grained security issues in this context? Some server actions (of those declared in the RequestContext stubs) shall be restricted to certain users (possibly depending on the parameters of the remote call). If a call is unauthorised, I would like the client to show a login page (so that one may log in as a different user, for example).

From the Expenses example, I know how to implement an automatic redirection to a login page, but in this example, the security model is quite simple: A client is allowed to access the servlet if and only if a user is logged in.

Shall I raise a custom UnAuthorizedException in my server-side service? Where should I intercept this exception? (Can I do this in a servlet filter like the GaeAuthFilter of the Expenses example?)

Answer 1

I was also looking for a solution to this, and came up with the following. It doesn't totally handle the user-interface aspect of things (i.e. redirection to the login page), but it will protect your data layer from unauthorized access.

public class MyRequestFactoryServlet extends RequestFactoryServlet
{
    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException
    {
        if (! userIsLoggedIn(req))
        {
            throw new ServletException("not logged in");
        }
        else
        {
            super.doPost(req, res);
        }
    }

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException
    {
        if (! userIsLoggedIn(req))
        {
            throw new ServletException("not logged in");
        }
        else
        {
            super.doGet(req, res);
        }
    }

    protected boolean userIsLoggedIn(HttpServletRequest req)
    {
        // insert your custom code here for checking session for valid login token
        User user = (User) req.getSession().getAttribute("LOGGED_IN_USER");
        return user != null && user.isEnabled();
    }

Then you use MyRequestFactoryServlet in your web.xml instead of RequestFactoryServlet.

To handle the UI aspect of login, I have my app's landing page check for valid login using GWT RPC; if the user isn't logged in, they're prompted for a username/password. The above code protects the back end from users who try to circumvent the login page by jumping directly to other URLs, or by manually posting data to the servlet.