There are several tutorials on how GWT and spring can be integrated (e.g. and )and they have done a good enough job for me not to cover those topics in details.
I found details scarce on how to use sessions in GWT environment to store and retrieve values during the rpc calls.
Problem:
Spring security by its design runs, by default, using url rewriting i.e. it appends ';jsessionid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' to the url of authenticated page. This jsessionid is sent to server again when another page is requested. In this way the request is assumed to be coming from the same user.
The problem with this approach is that there is no way you can append jsessionid field to the rpc call url due to which the call is not authenticated. In case you put rpc call's access as authenticated (using access="ROLE_XXX" or access="isAuthenticated()" etc.) none of the rpc call succeeds. In case, you did not put rpc call access as authenticated, principal received on these calls is "anonymousUser" and a new session id is assigned to each request and thus whatever you stored in a session last time is inaccessible
Solution:
Solution is strikingly simple. Use cookies to do this stuff. For this to work you need to the following
1) in spring security 3+ security configuration disable url-rewriting
....
2) Allow your server to use cookies for session management. For tomcat 6, I was using, this can be done by setting 'cookies' field to true in context.xml in conf folder. It can be found in more detail @ and other pages given in its "related questions"
Voila! everything works and session object on server side can be retrieved using the following code
HttpSession curRequest =
((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes())
.getRequest().getSession(false);
UPDATE
I stumbled upon a way to access request object and hence the underlying session by a simpler method. GWT exposes the current request by method getThreadLocalRequest. From request object session can be obtained. More details can be found at javadoc.
I found details scarce on how to use sessions in GWT environment to store and retrieve values during the rpc calls.
Problem:
Spring security by its design runs, by default, using url rewriting i.e. it appends ';jsessionid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' to the url of authenticated page. This jsessionid is sent to server again when another page is requested. In this way the request is assumed to be coming from the same user.
The problem with this approach is that there is no way you can append jsessionid field to the rpc call url due to which the call is not authenticated. In case you put rpc call's access as authenticated (using access="ROLE_XXX" or access="isAuthenticated()" etc.) none of the rpc call succeeds. In case, you did not put rpc call access as authenticated, principal received on these calls is "anonymousUser" and a new session id is assigned to each request and thus whatever you stored in a session last time is inaccessible
Solution:
Solution is strikingly simple. Use cookies to do this stuff. For this to work you need to the following
1) in spring security 3+ security configuration disable url-rewriting
2) Allow your server to use cookies for session management. For tomcat 6, I was using, this can be done by setting 'cookies' field to true in context.xml in conf folder. It can be found in more detail @ and other pages given in its "related questions"
Voila! everything works and session object on server side can be retrieved using the following code
HttpSession curRequest =
((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes())
.getRequest().getSession(false);
UPDATE
I stumbled upon a way to access request object and hence the underlying session by a simpler method. GWT exposes the current request by method getThreadLocalRequest. From request object session can be obtained. More details can be found at javadoc.
No comments:
Post a Comment