GWT and Authentication

Question

What are the best strategies to secure your GWT + Tomcat app to perform authentication and authorization?

Answer 1

Therea are two basic strategies:

1. secure the entry points;
2. secure the remote services.

Secure the entry points

The simplest way is to restrict access to the html/js files generated by GWT using regular web application security tools:

• Spring Security;
• web.xml constraints.

This can allow you to have an e.g. AdminEntryPoint and UserEntryPoint.

Secure the remote services

If the above solution is not enough, you can dig deeper. I have done so with Spring Security. I have not found a 100% clean way of integrating Spring Security with GWT, so I added a bit of glue. Briefly:

• created an annotation @AllowedRoles which enumerates the user roles allowed to access that service method;
• created a UserDetailsService which allows inspection of the current user ( see the SecurityContextHolder javadoc for details);
• created a Spring aspect which matches all methods annotated with the beforementioned annotation. It uses the service to retrieve the roles of the current user and throws a checked exception to signal an illegal access;
• modified all service methods to throw the security exception.