GWT 2.0 integration with Spring Security 3.0

Question

I used GWT 2.0 since a few days. So, I try to code an basic application with a login form and a page accessible only if i am logged.

Usually in my web application with jsf for example, I use Spring Security 3.0 to configure and secure that kind of application. So, I decided to try to do the same thing with my GWT 2.0 application.

I've well configured the server part of Spring Security. So from my GWT login page, I can enter my login/password and the authentication via Spring Security is performed. The redirection to the secured page is done and I can get the connected user via an rpc call to security service that uses the SecurityContext of Spring Security. So, I think that part is ok.

But, I have got a big problem to secure urls. Indeed, I would like to secure the page to restrict access to specific Role like I do with Spring Security usually.

In my GWT application, I use MVP pattern with central application controller. So, I have got only one page and for that page I'm going to differents views when adding #name_of_view to the end of the URL. For example, to access to my login page in development mode, I use the following URL on my browser :

http:// 127.0.0.1:8888/fr.myapp.Application/Application.html?gwt.codesvr=127.0.0.1:9997#login

Once i am correctly logged, I'm going to the following view :

http:// 127.0.0.1:8888/fr.myapp.Application/Application.html?gwt.codesvr=127.0.0.1:9997#pagesecured

Because of that, I don't know how to configure the http tag in Spring Security and how to define URL to intercept to affect them specific roles to restrict access. Furthermore, I think there will be a problem to use these URL between development mode and a classic production mode. No ?

So, someone would have any idea to help me to configure and secure my application using these URLs ? or by using an other technic to secure application with form login ?

Thanks by advance for your help.

Sylvain.

Answer 1

You can't use page-level security in this scenario, because your views are being changed at the client-side.

The only way to implement a role-based security in such kind application is to use a method-level security in your server-side code. You may also restrict access to your Application.html for non-authenticated users by you creating a spearate non-GWT login page (say, Login.html).

Answer 2

Agree with @axtavt - In general, you can't use page level security with GWT, because it only is a single page as far as spring security is concerned.

You should do the following -

1. Secure your RPC URLs. If required, you can use method level security as axtavt pointed out. To hook up RPC with Spring Security, override the onAfterRequestDeserialized(RPCRequest) method in your RPC Servlet. The RPCRequest method has details about the method being invoked and the actual parameters that are being passed to that method. This information is sufficient to prevent one user from updating the records of another user.

2. In case of an authentication or authorization error in your RPC service, throw appropriate errors and send them to the client. In your client, create a centralized error handler and show the appropriate message to the user.

3. And finally, in addition to spring security, you may want to protect yourself against XSS and CSRF. Refer to Security for GWT Applications for additional information.