GWT servlet filter ,How to identify special service request?

社会主义新天地 提交于 2019-12-06 11:36:18

问题


I created a app with GWT+requestfacotry(MVP)+GAE. There are some service or method exposed to GWT client ,such as

1.create 
2.remove
3.query

I want to add authorization function to "create" and "remove" ,but not to "query". I did it with servlet filter :

 public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
      FilterChain filterChain) throws IOException, ServletException {
    UserService userService = UserServiceFactory.getUserService();
    HttpServletRequest request = (HttpServletRequest) servletRequest;
    HttpServletResponse response = (HttpServletResponse) servletResponse;

    if (!userService.isUserLoggedIn()) {

        response.setHeader("login", userService.createLoginURL(request.getHeader("pageurl")));
     // response.setHeader("login", userService.createLoginURL(request.getRequestURI()));
      response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
      return; 
    } 

    filterChain.doFilter(request, response);
  }

My question is how to identify what request (I mean the request will route to which class and service )coming in ? There are some head fields contain the module name ,but I don't it is the security way to do. Is it possible to get RequestFacotry relevant class from http request ?

Thanks


回答1:


It's hard to do this within the servlet-filter. Instead you can provide a custom decorator within the RF ServiceLayerDecorator chain. Implementation can looks like this:

import com.google.web.bindery.requestfactory.server.ServiceLayerDecorator;

public class SecurityDecorator extends ServiceLayerDecorator {

  @Override
  public Object invoke( Method domainMethod, Object... args ) {
    if ( !isAllowed( domainMethod) ) {
      handleSecurityViolation();
    }
    return super.invoke( domainMethod, args );
  }
}

To register the additional decorator, provide a custom RF servlet:

import com.google.web.bindery.requestfactory.server.RequestFactoryServlet;

public class SecurityAwareRequestFactoryServlet extends RequestFactoryServlet {

  public SecurityAwareRequestFactoryServlet() {
    super( new DefaultExceptionHandler(), new SecurityDecorator() );
  }
}  

and register it in your web.xml:

<servlet>
    <servlet-name>gwtRequest</servlet-name>
    <servlet-class>com.company.SecurityAwareRequestFactoryServlet</servlet-class>
</servlet>


来源:https://stackoverflow.com/questions/11525787/gwt-servlet-filter-how-to-identify-special-service-request

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!