GWT and JAAS- What is the best practice to secure a GWT app

1
votes

We are building a big gwt app with lots of JavaEE elements..

Our structure so far contains the following:

  • GWT
  • TomEE/Tomcat as servlet container
  • OpenEJB (JPA, JTA)

We thought about JAAS for our security layer, because then we do not have to reinvent the wheel again and TomEE supports that already.

My big question is: What is the best way to use Jaas within GWT?

The problem is, that Jaas thinks of servlets and routes and is good if you have an MVC approach. But what if we had just one big servlet, our GWT app, which uses places/activities inside and doesnt act like Jaas thinks?

Possible approaches:

  1. Multiple entrypoints in GWT:
    • One entrypoint for Login, may use self-implemented LoginModule
    • One entrypoint for the app itself, this should be secured
  2. Multiple modules / module configurations
    • more modules, one entrypoint for each
    • secure routes in servlet?
  3. Implement security in the app itself
    • SessionService and SecurityExceptions
    • implement the auth mechanisms on our own..
  4. Just one entrypoint and some lightweight login form, JSP maybe..

Does anyone have experiences with GWT and Jaas? What is the best-practice approach for reusable security with GWT?

Links I found so far:

some security in web.xml, but only google stuff: https://developers.google.com/appengine/docs/java/config/webxml#Security_and_Authentication

we do not want to use spring: GWT: How to download EntryPoint after authenticating?

Example with multiple modules: https://github.com/ashtonthomas/GwtAdvancedLogin/tree/master/src/com/acrinta/client/login

1
jakarta-eegwtjaasapache-tomeeopenejb

1 Answers

2
votes

If your app requires the user to be authenticated, then definitely go with a <login-config> <auth-method>FORM</auth-method>; then you (almost) don't need to care at all in your GWT client-side code.

And for server-side code, to make it easier to process sign-outs on the client-side, then don't protect your GWT-RPC (or RequestFactory or whatever) servlets using <security-constraint>s but just use a filter that checks whether the user is authenticated (getUserPrincipal() != null) and then responds with a 401 status code.

You can find an example configuration of that with RequestFactory, in the form of a Maven archetype, at https://github.com/tbroyer/gwt-maven-archetypes, in the guice-rf-activities archetype:

  • web.xml
  • server-side servlet filter
  • client-side RequestFactory RequestTransport to handle errors from the filter. If you use GWT-RPC, you'd have to implement that logic in the onFailure of all your AsyncCallback, when you get a StatusCodeException.