Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to integrate Spring Security and GWT?

I'm trying to integrate Spring Security and GWT. I'm also using gwt-incubator-security. I configured everything as it was described on their wiki pages. I managed to get security working by using intercept-url, but I can't get it working using annotations. Any ideas about what the problem is?

P.S. I'm using Spring 2.5.6, Spring Security 2.0.5 and gwt-incubator-security 1.0.1. Any useful links and comments are welcome.

Here are my config files

applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<global-method-security secured-annotations="enabled"
    jsr250-annotations="disabled" />
<http auto-config="true">
    <!-- <intercept-url pattern="/**/*.rpc" access="ROLE_USER" /> -->
    <intercept-url pattern="/gwt/**" access="ROLE_USER" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</http>
<authentication-provider>
    <user-service>
        <user name="rod" password="koala"
            authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
        <user name="dianne" password="emu" authorities="ROLE_USER,ROLE_TELLER" />
        <user name="scott" password="wombat" authorities="ROLE_USER" />
        <user name="peter" password="opal" authorities="ROLE_USER" />
    </user-service>
</authentication-provider>
<beans:bean id="greetService" class="com.ct.test.server.GreetingServiceImpl" />

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app>
<!-- Default page to serve -->
<welcome-file-list>
    <welcome-file>Spring_test.html</welcome-file>
</welcome-file-list>
<!--  Spring related configuration  -->
<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>
<!-- Initialise the Spring MVC DispatcherServlet -->
<servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<!-- Map the DispatcherServlet to only intercept RPC requests -->
<servlet-mapping>
    <servlet-name>spring</servlet-name>
    <url-pattern>/spring_test/greet.rpc</url-pattern>
    <!--
        <url-pattern>/org.example.gwtwisdom.GwtWisdom/services/*</url-pattern>
    -->
</servlet-mapping>
<servlet>
    <servlet-name>greetServlet</servlet-name>
    <servlet-class>com.ct.test.server.GreetingServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>greetServlet</servlet-name>
    <url-pattern>/spring_test/greet.rpc</url-pattern>
</servlet-mapping>
<!-- Spring security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

spring-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<!-- The application context definition for the DispatcherServlet -->
<bean id="urlMapping" class="com.gwtincubator.security.server.GWTSecuredHandler">
    <property name="mappings">
        <map>
            <entry key="/spring_test/greet.rpc" value-ref="greetService" />
        </map>
    </property>
</bean>

Here is my sample project that i tried to integrate with Spring Security: http://www.filedropper.com/springtest_1

like image 606
jb. Avatar asked Oct 22 '09 17:10

jb.


People also ask

How does Spring MVC integrate Spring Security?

To enable Spring Security integration with Spring MVC add the @EnableWebSecurity annotation to your configuration. Spring Security provides the configuration using Spring MVC's WebMvcConfigurer.

How does Spring Security authentication work internally?

The Spring Security Architecture There are multiple filters in spring security out of which one is the Authentication Filter, which initiates the process of authentication. Once the request passes through the authentication filter, the credentials of the user are stored in the Authentication object.


1 Answers

I'am using GWT+Spring security. I find in your configuration, there is some misunderstanding. In fact, there is a very simple way that can let spring security work with your gwt regardless the gwt-incubator-security. You just need to declare your application context in you web.xml.

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext-security.xml</param-value>
  </context-param>

  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener> 

You don't declare here your MVC dispatcherServlet ! Then everything works because of the Spring Security framework mechanism.

But This way of configuration doesn't declare DispatcherServlet, it is simple, but in case that you need some security funcionality that need DispatcherServlet, is is a "piege". So as i've met.

Then if you insist to use gwt-incubator-security. I've read a very good solution in french, but it rest uncheck. http://hugo.developpez.com/tutoriels/java/gwt/utilisation-gwt-avec-spring-et-hibernate/

  1. Integrate Spring in the application with GWT-SL: In fact, for the integration of Spring and hibernate, the problem is how to configure correctly the servlet. One should be aware that the Spring has its own servlet “DispatcherServlet” so as the gwt with its “gwt servlet”. Normally, in the tutorial for the GWT RPC, the gwt-servlet is declared in the web-xml, like
 <servlet>
    <servlet-name>appService</servlet-name>
    <servlet-class>com.google.gwt.app.example.server.AppServiceImpl</servlet-class>
  </servlet>
  <servlet-mapping>
     <servlet-name>appService</servlet-name>
     <url-pattern>/app/appService</url-pattern>
   </servlet-mapping>

If you like very much Spring, and you want to use DispatcherServlet to dispatch the request, then GWT-handler can help you to get rid of the problem. Firstly, you load application context in the web.xml as below:

<context-param>
<param-name> contextConfigLocation </param-name>
    <param-value> classpath:applicationContext_GWT.xml </param-value>
</context-param>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>

Then you can declare your rpc service in Spring context: applicationContext_GWT.xml

<bean id=" appService " 
         class=" com.google.gwt.app.example.server.AppServiceImpl">
</bean>

But you should not forget to add the GWTHandler declaration in the application context file applicationContext_GWT.xml
The last thing is to declare the spring servlet: DispatcherServlet in the web.xml. Pay attention to the fact that this is the spring’s proper servlet not the GWT-SL’s. web.xml

<servlet>  
    <servlet-name>handler</servlet-name>
    <servlet-class> org.springframework.web.servlet.DispatcherServlet </servlet-class>
       <load-on-startup>1</load-on-startup>
</servlet>  
<servlet-mapping>
<servlet-name>handler</servlet-name>
<url-pattern>*.rpc</url-pattern>
</servlet-mapping>

Servlet name is important because DispatcherServlet will search for the spring context file named by “*-servlet.xml”. As the servlet name is handler, it will search for the spring context “handler-servlet.xml”. So here we will solve the problem like this, we put the application context which is independent with the DispatcherServlet in the “applicationContext_GWT.xml”, then the one that is dependent with the DispatcherServlet in the “-servlet.xml”, as the servlet name is “handler”, then we should have “handler-servlet.xml”, then put the following configuration of GWT_SL from applicationContext_GWT.xml into handler-servlet.xml Handler-servlet.xml

<bean id="urlProjectMapping" class="org.gwtwidgets.server.spring.GWTHandler">
        <!-- Supply here mappings between URLs and services. Services must implement the RemoteService interface but are not otherwise restricted.-->
        <property name="mappings">
             <map>
    <!-- Other mappings could follow -->
    <entry key="/app/appService.rpc" value-ref="appService" />
             </map>
         </property>
</bean> 

Then add the following configuration in the web.xml dans la declaration de servlet.

<init-param>
               <param-name>contextConfigLocation</param-name>
    <param-value> /WEB-INF/handler-servlet.xml </param-value>
</init-param>

The filter pattern concerns just the RPC call with a suffix .rpc (I didn’t use the GWT-SL, so the method above for integration has not been checked.)

After you have all the above configuration, then you create your filtreprocessentrypoint in your applicationi context file.

Hope this can help you!

like image 87
lhuang Avatar answered Oct 07 '22 01:10

lhuang