User roles in GWT applications

[carmelo]

Hi everybody,
I'm wondering if you could suggest me any way to implement "user
roles" in GWT applications. I would like to implement a GWT
application where users log in and are assigned "roles". Based on
their role, they would be able to see and use different application
areas.

Thank you very much in advance for your help!

 

[Lew]

Hi everybody,
I'm wondering if you could suggest me any way to implement "user
roles" in GWT applications. I would like to implement a GWT
application where users log in and are assigned "roles". Based on
their role, they would be able to see and use different application
areas.

http://lmgtfy.com/?q=Implementing+user+roles+in+Java+with+GWT

 

[Arne Vajhøj]

I'm wondering if you could suggest me any way to implement "user
roles" in GWT applications. I would like to implement a GWT
application where users log in and are assigned "roles". Based on
their role, they would be able to see and use different application
areas.

The real GWT code execute client side.

Client side checks are for convenience not for security.

So you should secure your server side (GWT RPC calls or
some custom REST or whatever) with user roles.

For convenience you can have the app request roles
from the server and act based on that.

Arne

 

[carmelo]

The real GWT code execute client side.

Client side checks are for convenience not for security.

So you should secure your server side (GWT RPC calls or
some custom REST or whatever) with user roles.

For convenience you can have the app request roles
from the server and act based on that.

Thank you for your answer Arne.
Therefore a good way could be to retrieve user roles from server with
an RPC call. How would you implement "user roles"? A sort of
"permissions" list for the logged user, retrieved from server,
generated from the groups the user belongs to.

What do you think about?

Is there any framework which could help me on this?

 

[carmelo]

I'm also considering java security frameworks like Apache Shiro and
Spring Security... What do you think about them?

 

[markspace]

I'm also considering java security frameworks like Apache Shiro and
Spring Security... What do you think about them?

I would start with the basics:

<http://download.oracle.com/javaee/5/tutorial/doc/bncav.html>

I don't have any opinions on specific frameworks or implementations.

 

[Arne Vajhøj]

Thank you for your answer Arne.
Therefore a good way could be to retrieve user roles from server with
an RPC call. How would you implement "user roles"? A sort of
"permissions" list for the logged user, retrieved from server,
generated from the groups the user belongs to.

What do you think about?

Is there any framework which could help me on this?

Roles is a part of servlets, so any servlet container
already has them.

Arne

 

[Arne Vajhøj]

I'm also considering java security frameworks like Apache Shiro and
Spring Security... What do you think about them?

What do you need from them that standard servlet users and
roles does not provide?

Arne

 

[carmelo]

My purpose is to develop a role-based UI developed with GWT, where
users have hierarchical roles.

So, related problems are:

- How to implement hierarchical roles. Using security frameworks, or
manually creating db tables and java code?
- How to check user permissions, based on user roles, client-side and
server-side. Checking user roles server-side and communicating a list
of user permissions to client-side through an RCP call on login?

 

[Tom Anderson]

What do you need from them that standard servlet users and roles does
not provide?

I don't know what Carmelo needs, but here are some of the things he could
have:

http://www.acegisecurity.org/faq.html#Why not just use web.xml security?
http://www.acegisecurity.org/ (bullet points at the top)

My own personal beef with J2EE security is that, as with some other bits
of J2EE, critical bits of configuration are container-specific. One of the
things Acegi does, according to its claims, is overcome that.

tom