GWT和认证 [英] GWT and Authentication
问题描述
什么是保护您的GWT + Tomcat应用程序执行身份验证和授权的最佳策略?
策略:
- 保护入口点;
- 保护远程服务。
确保入口点
最简单的方法是限制对html / js文件的访问由GWT使用常规Web应用程序安全工具生成:
- Spring Security;
- web.xml约束。
- web.xml约束。
这可以让你有一个例如 AdminEntryPoint
和 UserEntryPoint
。
确保远程服务
如果上述解决方案不够,可以深入挖掘。我在Spring Security中这样做了。我还没有找到将Spring Security与GWT集成的100%干净方式,所以我添加了一些胶水。简而言之:
- 创建了一个注释
@AllowedRoles
,它列举了允许访问的用户角色该服务方法;
- 创建了一个允许检查当前用户的
UserDetailsService
(请参阅; /> / li>
- 创建了一个Spring方面,该方面与前面提到的注释中注解的所有方法相匹配。它使用该服务来检索当前用户的角色,并引发一个检查的异常以指示非法访问;
- 修改所有服务方法以引发安全异常。
- 创建了一个Spring方面,该方面与前面提到的注释中注解的所有方法相匹配。它使用该服务来检索当前用户的角色,并引发一个检查的异常以指示非法访问;
What are the best strategies to secure your GWT + Tomcat app to perform authentication and authorization?
Therea are two basic strategies:
- secure the entry points;
- secure the remote services.
Secure the entry points
The simplest way is to restrict access to the html/js files generated by GWT using regular web application security tools:
- Spring Security;
- web.xml constraints.
This can allow you to have an e.g. AdminEntryPoint
and UserEntryPoint
.
Secure the remote services
If the above solution is not enough, you can dig deeper. I have done so with Spring Security. I have not found a 100% clean way of integrating Spring Security with GWT, so I added a bit of glue. Briefly:
- created an annotation
@AllowedRoles
which enumerates the user roles allowed to access that service method; - created a
UserDetailsService
which allows inspection of the current user ( see the SecurityContextHolder javadoc for details); - created a Spring aspect which matches all methods annotated with the beforementioned annotation. It uses the service to retrieve the roles of the current user and throws a checked exception to signal an illegal access;
- modified all service methods to throw the security exception.
这篇关于GWT和认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!