DZone Snippets is a public source code repository. Easily build up your personal collection of code snippets, categorize them with tags / keywords, and share them with the world

Ratn has posted 5 posts at DZone. View Full User Profile

Secure Your GWT App Easily

06.09.2010
| 6101 views |
  • submit to reddit
        Securing GWT web-app is very easy -as   most of application layer code is residing in client-side as javaScript .You use backend services to fetch or update Data .Now you have to just decide who can access a particular service but better Idea is to make your access fined grained at method level.You must consider to use fine grained security as GWT  app is effectively  AJAX app - and one  page can call many service method .

Here I am using Spring AOP to seperate bussiness login from Security.

Our Domain Model is like - 
//User have a role 
@Entity 
public class User {
 @OneToOne
 private Role

  //other code. 
}


//A role has a collection of permissions
@Entiy 
public class Role {
  
  private String name ;
  @ManyToMany
  private Set<Permission> permission;
}

Here I am setting permissions to Role ,so that while setting Security level to a method access ,Developer has to just worry about permission .


@Entity 
public class Permission {
  private String name;
}



Now lets write a custom Security annotaion
 //retention is set to runTime to that runtime code would have this annotation 
//if you wont set Retention to runtime  this annotation  wont work
@Retention(RetentionPolicy.RUNTIME)
//this annotatation you can put on method
@Target({ElementType.METHOD})
@Inherited

public @interface RequirePermission {
  String value();
}


Now lets write An around Aspect using SPRING-AOP


@Aspect

public class  checkPermissionAspect {

   //an utility class to decide if current logged in user has Permission
   @Autowired PermissionHandler permissionHandler
   //I am using around advice because it has to decide whether to  call target method or not depending on Permission 
   
   //this advice targets methods annotated with 'RequirePermission' on a Class annotated as @Service
   @Around("@target(org.springframework.stereotype.Service) && @annotation(RequirePermission)")
  public Object handlePermission(ProceedingJoinPoint joinPoint, RequirePermission permission){
      if(permissionHandler.doesCurrentUserHasPermission( permission.getValue)){
           return joinPoint.proceed()
      }else {
		throw new AccessException("Current user does not have required permission");
      }

  }
}

Now lets write an example service for a on-line shopping web-application -
@Service 
public class  OnlineOfferServiceImpl implemets OnlineOfferService {


        @RequirePermission("ADD_NEW_OFFER")
        //you can give this permission to admin of Store and to Manager or to few employees 
	public void addNewOffer(){
        }
       //you can give this Permission to just admin 
       @RequirePermission("DELETE_OFFER")
       public void deleteOffer(int offerId){
       }
       //you can give this permission to everyone other than guest
       @RequirePermission("LIST_OFFERS")
       public List<Offers> getAllOffers(){
       }
        
}

So this way developer has to just think about Permission while Securing a method and need not to worry about ROLE .Also this gives fine grained control.You can assign any Permission to any Role and you can change it later in database and you need not to make any code change in your service.