«

Hi everybody,
I'm wondering if you could suggest me any way to implement "user
roles" in GWT applications. I would like to implement a GWT
application where users log in and are assigned "roles". Based on
their role, they would be able to see and use different application
areas.

Thank you very much in advance for your help!

carmelo wrote:
> Hi everybody,
> I'm wondering if you could suggest me any way to implement "user
> roles" in GWT applications. I would like to implement a GWT
> application where users log in and are assigned "roles". Based on
> their role, they would be able to see and use different application
> areas.

http://lmgtfy.com/?q=Implementing+us...+Java+with+GWT

--
Lew
Honi soit qui mal y pense.

On 07-03-2011 16:25, carmelo wrote:
> I'm wondering if you could suggest me any way to implement "user
> roles" in GWT applications. I would like to implement a GWT
> application where users log in and are assigned "roles". Based on
> their role, they would be able to see and use different application
> areas.

The real GWT code execute client side.

Client side checks are for convenience not for security.

So you should secure your server side (GWT RPC calls or
some custom REST or whatever) with user roles.

For convenience you can have the app request roles
from the server and act based on that.

Arne

> The real GWT code execute client side.
>
> Client side checks are for convenience not for security.
>
> So you should secure your server side (GWT RPC calls or
> some custom REST or whatever) with user roles.
>
> For convenience you can have the app request roles
> from the server and act based on that.

Thank you for your answer Arne.
Therefore a good way could be to retrieve user roles from server with
an RPC call. How would you implement "user roles"? A sort of
"permissions" list for the logged user, retrieved from server,
generated from the groups the user belongs to.

What do you think about?

Is there any framework which could help me on this?

I'm also considering java security frameworks like Apache Shiro and
Spring Security... What do you think about them?

On 3/8/2011 7:17 AM, carmelo wrote:
> I'm also considering java security frameworks like Apache Shiro and
> Spring Security... What do you think about them?

I would start with the basics:

<http://download.oracle.com/javaee/5/tutorial/doc/bncav.html>

I don't have any opinions on specific frameworks or implementations.

On 08-03-2011 09:23, carmelo wrote:
>> The real GWT code execute client side.
>>
>> Client side checks are for convenience not for security.
>>
>> So you should secure your server side (GWT RPC calls or
>> some custom REST or whatever) with user roles.
>>
>> For convenience you can have the app request roles
>> from the server and act based on that.
>
> Thank you for your answer Arne.
> Therefore a good way could be to retrieve user roles from server with
> an RPC call. How would you implement "user roles"? A sort of
> "permissions" list for the logged user, retrieved from server,
> generated from the groups the user belongs to.
>
> What do you think about?
>
> Is there any framework which could help me on this?

Roles is a part of servlets, so any servlet container
already has them.

Arne

On 08-03-2011 10:17, carmelo wrote:
> I'm also considering java security frameworks like Apache Shiro and
> Spring Security... What do you think about them?

What do you need from them that standard servlet users and
roles does not provide?

Arne

My purpose is to develop a role-based UI developed with GWT, where
users have hierarchical roles.

So, related problems are:

- How to implement hierarchical roles. Using security frameworks, or
manually creating db tables and java code?
- How to check user permissions, based on user roles, client-side and
server-side. Checking user roles server-side and communicating a list
of user permissions to client-side through an RCP call on login?

On Tue, 8 Mar 2011, Arne Vajhøj wrote:

> On 08-03-2011 10:17, carmelo wrote:
>> I'm also considering java security frameworks like Apache Shiro and
>> Spring Security... What do you think about them?
>
> What do you need from them that standard servlet users and roles does
> not provide?

I don't know what Carmelo needs, but here are some of the things he could
have:

http://www.acegisecurity.org/faq.htm...ml%20security?
http://www.acegisecurity.org/ (bullet points at the top)

My own personal beef with J2EE security is that, as with some other bits
of J2EE, critical bits of configuration are container-specific. One of the
things Acegi does, according to its claims, is overcome that.

tom

--
It's just really ****ing good and that's all. -- Gabe, on the Macintosh