How to setup Spring Security with GWT

**harald.pehl** · Aug 18th, 2008, 02:25 AM

Hi,

I'm currently writing a webapp using GWT 1.5.x. On the server side I want to use Spring Security (both url and method security).

On the client side I'm planning to have to GWT modules:

A login module
The actual application module

The login module I want to use as AuthenticationEntryPoint. It contains a GWT service which actually performs the authentication. What is somewhat unclear to me is how to integrate that with Spring Security.

Does anybody have some samples, tutorials or the like I can look at as a starting point?

Thanks in advance
Harald

**posta07** · Aug 18th, 2008, 05:13 PM

I used Spring Security to secure my GWT web application.

I decided to do the login form as a stand-alone html/jsp form (instead of creating a login GWT module)... that way I can take advantage of the form-based login that Spring Security affords.

The trick is to set up your filter chain to block any access to you GWT application (which includes RPCs) and only allow access once authenticated. If you have specific questions, I'd be happy to try and answer.

Cheers..

**harald.pehl** · Aug 19th, 2008, 01:56 AM

Hi posta07,

thanks for your answer. That's exactly the approach I also have chosen after some trial and error.

I have one further question:
How do you handle exceptions from Spring Security? Are they wrapped inside an InvocationException and can be handled by the onFailure method?

Best Regards
Harald

**posta07** · Aug 19th, 2008, 07:42 AM

How do you handle exceptions from Spring Security?

I believe you mean exceptions that are thrown because of authentication errors? When you wire up an ExceptionTranslationFilter to your filter chain you can specify what pages handle what errors or you can create your own handlers.

Alternatively, are you referring to trying to handle Spring Security exceptions within your GWT-RPC call (onFailure()...)?

Cheers...

**harald.pehl** · Aug 19th, 2008, 08:10 AM

Originally Posted by posta07

Alternatively, are you referring to trying to handle Spring Security exceptions within your GWT-RPC call (onFailure()...)?

That's exactly what I mean

**posta07** · Aug 19th, 2008, 08:30 AM

I haven't dealt with that level of exception handling yet (within the GWT modules), so I am not sure. I assume what you're trying to do is make sure that once a user is authenticated that they do not have access to certain RPC calls that they should not be making?

I guess the way I would approach that is to secure the RPC methods with Spring AOP and then have the security logic determine whether the user is allowed to access (based on their roles, rights, etc)... then throw the appropriate exceptions which can be caught in your onFailure method.

If you, or anyone reading this, can think of a better way to do this, I'm all ears

Let me know how you end up doing this!

**cdaller** · Aug 28th, 2008, 06:51 AM

Hi!

How do you handle a session timeout? I have a gwt application with html/jsp form for login. When the session times out (or tomcat is restarted), the rpc call onFailure shows the login page as error message. So I could find out that the user must re-login in the error handler. I can then show a login-window (gwt). But how do I repeat the failed rpc call?

Anyone solved this problem?

regards
Christof

**greco** · Aug 28th, 2008, 11:14 AM

Try using this:

Code:

var invalidSession = function(){ window.location = '<%= request.getContextPath() %>/login.jsp'; };
Ext.lib.Ajax.on('status:403', invalidSession );

For Spring Security with GWT, you would have to code the FormPanel to perform a traditional form POST as opposed to an XHR call. The issue with doing it through an XHR call is that the return data is not in the proper format so GWT does not know what to do, or if you are stuck on using XHR, then you would have to write your own RequestCallback as a handler and parse the return information manually for the onSuccess and onFailure.

Good luck.

**Cojote** · Sep 8th, 2008, 06:49 AM

Hi posta07,

i m new to GWT with SpringSecurity.
I have allready secured my application with springSecurity. It works fine for webservice calls, but i m not able to make it work with GWT. It would be really great if i could have a quick look at the security related stuff in your applicationContext.

**bambin** · Feb 11th, 2009, 06:55 PM

Originally Posted by greco

Try using this:

Code:

var invalidSession = function(){ window.location = '<%= request.getContextPath() %>/login.jsp'; };
Ext.lib.Ajax.on('status:403', invalidSession );

For Spring Security with GWT, you would have to code the FormPanel to perform a traditional form POST as opposed to an XHR call. The issue with doing it through an XHR call is that the return data is not in the proper format so GWT does not know what to do, or if you are stuck on using XHR, then you would have to write your own RequestCallback as a handler and parse the return information manually for the onSuccess and onFailure.

Good luck.

This approach worked perfectly well for a rookie like me. The GWT Tutorial,

http://code.google.com/docreader/#p=...tartedTutorial

, introduces StockWatch application. I modified it to use Spring Security. The resulting WAR file (you can download it from http://minetats.com ) has been successfully tested with Tomcat 6.0.14 on Mac OS. To run this imperfect, but working, example of Spring Security in a GWT app, use rod/koala as userid/passwd.

In my first message I was not allowed to use URLs, please disregard it.

Thread: How to setup Spring Security with GWT

Thread Tools

Display

How to setup Spring Security with GWT

handle session timeout

Tags for this Thread

Posting Permissions