How to handle security constraints using GWT 2.1's RequestFactory?

Posted by Marc on Stack Overflow See other posts from Stack Overflow or by Marc
Published on 2010-12-29T19:47:23Z Indexed on 2010/12/29 19:54 UTC
Read the original article Hit count: 307

I am currently developing a GWT 2.1 application that is to be deployed on Google App Engine. I would like to realise the server communication using the new RequestFactory.

Now my question is how to handle fine-grained security issues in this context? Some server actions (of those declared in the RequestContext stubs) shall be restricted to certain users (possibly depending on the parameters of the remote call). If a call is unauthorised, I would like the client to show a login page (so that one may log in as a different user, for example).

From the Expenses example, I know how to implement an automatic redirection to a login page, but in this example, the security model is quite simple: A client is allowed to access the servlet if and only if a user is logged in.

Shall I raise a custom UnAuthorizedException in my server-side service? Where should I intercept this exception? (Can I do this in a servlet filter like the GaeAuthFilter of the Expenses example?)

© Stack Overflow or respective owner

Related posts about security

Related posts about google-app-engine