GWT和认证 [英] GWT and Authentication

问题描述

什么是保护您的GWT + Tomcat应用程序执行身份验证和授权的最佳策略？

策略：

1. 保护入口点;
   
2. 保护远程服务。

确保入口点

最简单的方法是限制对html / js文件的访问由GWT使用常规Web应用程序安全工具生成：

• Spring Security;
  
• web.xml约束。
  

这可以让你有一个例如 AdminEntryPoint 和 UserEntryPoint 。

确保远程服务

如果上述解决方案不够，可以深入挖掘。我在Spring Security中这样做了。我还没有找到将Spring Security与GWT集成的100％干净方式，所以我添加了一些胶水。简而言之：

• 创建了一个注释 @AllowedRoles ，它列举了允许访问的用户角色该服务方法;
  
• 创建了一个允许检查当前用户的 UserDetailsS​​ervice （请参阅; /> / li>
  
• 创建了一个Spring方面，该方面与前面提到的注释中注解的所有方法相匹配。它使用该服务来检索当前用户的角色，并引发一个检查的异常以指示非法访问;
  
• 修改所有服务方法以引发安全异常。

What are the best strategies to secure your GWT + Tomcat app to perform authentication and authorization?

解决方案

Therea are two basic strategies:

1. secure the entry points;
2. secure the remote services.

Secure the entry points

The simplest way is to restrict access to the html/js files generated by GWT using regular web application security tools:

• Spring Security;
• web.xml constraints.

This can allow you to have an e.g. AdminEntryPoint and UserEntryPoint.

Secure the remote services

If the above solution is not enough, you can dig deeper. I have done so with Spring Security. I have not found a 100% clean way of integrating Spring Security with GWT, so I added a bit of glue. Briefly:

• created an annotation @AllowedRoles which enumerates the user roles allowed to access that service method;
• created a UserDetailsService which allows inspection of the current user ( see the SecurityContextHolder javadoc for details);
• created a Spring aspect which matches all methods annotated with the beforementioned annotation. It uses the service to retrieve the roles of the current user and throws a checked exception to signal an illegal access;
• modified all service methods to throw the security exception.

这篇关于GWT和认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！