GWT：身份验证使用GWT登录页面的应用程序的某些部分 [英] GWT: Authentication for some part of application using GWT login page

问题描述

我的应用程序有一些功能，这些功能对所有用户访问，以及其他一些功能，其中访问应仅限于经过验证的用户。所有这些受限制的功能存在着一些GWT集的地方，因此，在应用程序提供的所有地方都可以分成两组内：对所有人开放和限制。在我看来，有权限限制的地方，可以实现一些接口（比方说，这将是 RestrictedAccess ），如果用户进入其中之一，到现在也没有被验证然而，它会被重定向到登录屏幕 - 这是更面向对象的方法比在URL应用滤镜的基础。

My application has some features that are accessible to all users, and some other features to which access should be restricted to authenticated users only. All these restricted features exists within some set of GWT Places, thus, all Places available in application can be divided into two groups: "accessible for all", and "restricted". In my opinion, places with restricted access, could implement some interface (let's say it would be RestrictedAccess), and if user proceeds to one of them, and it has not been authenticated yet, it will be redirected to the login screen - it's more OO-approach than applying filters basis on URL.

我想要实现的是：

1. 样，如果用户一直资讯
   验证或不应该
   存储在服务器上（它不是
   可能被存储在cookie ...）


2. 登录页面是一个标准的GWT地方+观点+活动（！）


3. 的用户名和放大器;密码验证是在服务器端完成。

到目前为止，我已经介绍了 RestrictedAccess 接口，这是由一些组的地方实施。我的 FilteredActivityMapper.Filter 实现，它被传递到FilteredActivityMapper包装应用程序活动映射器具有以下逻辑：

So far, I've introduced RestrictedAccess interface, which is implemented by some set of places. My FilteredActivityMapper.Filter implementation, which is passed to the FilteredActivityMapper wrapping application activity mapper has the following logic:

Place filter(Place place) {
    if (place instanceof RestrictedAccess && !userHasBeenAuthenticated()) {
      return new LoginPlace();
    }

    // return the original place - user has been already authenticated or
    // place is accesible for all users
    return place;
}


private boolean userHasBeenAuthenticated() {
    // remote call - how to do ???
}

问题是与 userHasBeenAuthenticated（）方法（用户不应该被重定向到LoginPlace，如果它已经被验证）。如果我想存储在服务器端的这个信息，我要在这里做的GWT RPC /要求在工厂的电话，但都是异步的，所以我不能就其结果在过滤方法。

The problem is with userHasBeenAuthenticated() method (user should not be redirected to the LoginPlace, if it has been already authenticated). If I want to store this information on the server-side, I have to do GWT RPC/request factory call here, but both are asynchronous, so I cannot work on its result in the filter method.

我知道，我可以使用web.xml文件过滤器或一些外部框架（如春季安全），但没有这种方法让我有登录页面为标准的GWT - 基于形式，或指示在更面向对象的方式，访问一些地方应该受到限制。

I know that I can use web.xml filters or some external framework (e.g. spring security), but none of this approach allows me to have login page as a standard GWT - based form, or indicating in the more OO way that access to some place should be restricted.

先感谢您的任何提示

修改：我开始想，如果地方过滤（限制/不受限制）应该发生在客户端的。如果像有人建议，有破解code，指明用户已被认证或不可能性，也有可能破解过滤code的地方，所以，这将有可能访问受限制的地方，而不登录。

EDIT: I've started to wondering if places filtering (restricted/not restricted) should take place on the client side at all. If, as it was suggested, there is a possibility to hack code indicating if user has been authenticated or not, there is also possibility to hack places filtering code, so that it will be possible to access restricted places without signing in.

推荐答案

Piotrek，

我觉得这是与调用userHasBeenAuthenticated（）的一个安全问题 - 这将有可能破解客户端code为true每到这个函数被调用时返回

I think there is a security issue with calling userHasBeenAuthenticated() - it would be possible to hack the client side code to return true every time this function is called.

我已经实现的解决方案是，如果未认证用户试图访问任何远程服务仅返回SC_UNAUTHORIZED。我已经覆盖了RequestFactory onResponseReceived功能如果响应SC_UNAUTHORIZED其重定向到一个登录页面。采取想法来自：
<一href=\"http://$c$c.google.com/p/google-web-toolkit/source/browse/trunk/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/client/GaeAuthRequestTransport.java\" rel=\"nofollow\">http://$c$c.google.com/p/google-web-toolkit/source/browse/trunk/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/client/GaeAuthRequestTransport.java

The solution I've implemented is to simply return SC_UNAUTHORIZED if an unauthenticated user attempts to access any remote service. I've overridden the RequestFactory onResponseReceived function which redirects to a login page if the response is SC_UNAUTHORIZED. Idea taken from: http://code.google.com/p/google-web-toolkit/source/browse/trunk/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/client/GaeAuthRequestTransport.java

这适用于我们的情况，那里的活动和地点都是以数据为中心 - 每个地方的变化从服务器中检索数据。如果用户没有通过验证，他们根本没有得到数据并重定向到一个登录页面。

This works for our situation where the Activities and Places are all data-centric - each place change retrieves data from the server. If a user isn't authenticated they simply don't get the data and get redirected to a login page.

我知道你的情况是在有些地方是每个人可以访问略有不同，在这种情况下，你可以只配置限制的服务回报SC_UNAUTHORIZED。

I realize your situation is slightly different in that some places are accessible to everyone, in which case you could configure only the restricted services to return SC_UNAUTHORIZED.

这篇关于GWT：身份验证使用GWT登录页面的应用程序的某些部分的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！