Integrate GWT with Spring Security framework

Question

I have searched for tutorials on this topics, but all of them are outdated. Could anyone provide to me any links, or samples about integrating Spring security into GWT?

Answer 1

First of all, you have to bear in mind that GWT application is turned into javascript running on client-side, so there is nothing you can really do about securing some resources out there. All sensitive information should be stored on server side (as in every other case, not only for GWT), so the right way is to think of Spring Security integration from the point of view of application services layer and integrating that security with communication protocol you use - in case of GWT it is request factory in most cases.

The solution is not very simple, but I could not do it in any better way... any refinement suggestions are welcome.

You need to start with creating GWT ServiceLayerDecorator that will connect the world of request factory with world of Spring. Overwrite createServiceInstance method taking name of spring service class to be invoked from ServiceName annotation value and return instance of this service (you need to obtain it from Spring ApplicationContext):

final Class<?> serviceClass = requestContext.getAnnotation(ServiceName.class).value();
return appContext.getBean(serviceClass);

Also, you need to override superclass invoke(Method, Object...) method in order to catch all thrown runtime exceptions. Caught exception cause should be analyzed, if it's an instance of Spring Security AccessDeniedException. If so, exception cause should be rethrown. In such case, GWT will not serialize exception into string, but rethrow it again, thus, dispatcher servlet can handle it by setting appropriate HTTP response status code. All other types of exceptions will be serialized by GWT into String.

Actually, you could catch only GWT ReportableException, but unfortunately it has package access modifier (heh... GWT is not so easily extensible). Catching all runtime exceptions is much more safe (althouth not very elegant, we have no choice) - if GWT implementation change, this code will still work fine.

Now you need to plug in your decorator. You can do it easily by extending request factory servlet and defining your's servlet constructor as follows:

public MyRequestFactoryServlet() {
  this(new DefaultExceptionHandler(), new SpringServiceLayerDecorator());
}

The last thing - you need to do a dirty hack and overwrite request factory servlet doPost method changing the way how it handles exceptions - by default, exception is serialized into string and server sends 500 status code. Not all exceptions should result in 500 s.c - for example security exceptions should result in unauthorized status code. So what you need to do is to overwrite exception handling mechanism in the following way:

catch (RuntimeException e) {
  if (e instanceof AccessDeniedException) {
    response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  } else {
    response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
     LOG.log(Level.SEVERE, "Unexpected error", e);
  }
}

Instead of extending classes, you can try to use some 'around' aspects - it is cleaner solution in this case.

That's it! Now you can annotate your application services layer as usual with Spring Security annotations (@Secured and so forth).

I know - it's all complicated, but Google's request factory is hardly extendable. Guys did a great work about communication protocol, but design of this library is just terrible. Of course the client-side code has some limitations (it is compiled to java script), but server-side code could be designed much better...