I have a GWT based application. I want to add access control to it. Is there a way to add custom access control for GWT components?
My idea about adding access control/permissions would be as following.
- Add access control annotation (if there exists one) to the开发者_JAVA技巧 class (GWT component) for which I need to add access control.
- When this component gets rendered, my custom method which checks for access control rules get called and depending on its results the component gets rendered.
Any ideas of how this can be achieved.
In a GWT app I've done access control two ways, both assume that access control is enforced on the server - in every AJAX (GWT RPC) call. The javascript side is inherently unsafe, so any controls there would be pointless.
Depending on how fine grained access control I've needed, I've either used URL-based control by the servlet container protecting the GWT RPC end point. I.e.
/public/gwt.rpc.endpoint
/private/gwt.rpc.endpoint
Protect the private one using either bog standard web.xml, or spring security. However this then led me to handle logins the "normal" form-based way before launching the GWT application.
A more fine grained approach has been to use an exception on every GWT RPC exposed method:
interface MyService extends RemoteService {
SomeData getPublicData();
SomeSecret getPrivateData() throws AccessDeniedException;
Result login(String username, String password);
}
interface MyServiceAsync {
void getPublicData(AsyncCallback<SomeData> callback);
void getPrivateData(AsyncCallback<SomeSecret> callback);
void login(String username, String password, AsyncCallback<Result> callback);
}
By making AccessDeniedException RPC serializable, I will receive that exception in the AsyncCallback - this makes it possible to throw up a login-dialog inside the GWT app.
However the actual login call and server side session handling I've then done completely manually not relying on any framework for that (though you could do it with Spring Security).
精彩评论