Search code examples
gwtservletsmvpservlet-filtersrequestfactory

GWT servlet filter ,How to identify special service request?

I created a app with GWT+requestfacotry(MVP)+GAE. There are some service or method exposed to GWT client ,such as

1.create 
2.remove
3.query

I want to add authorization function to "create" and "remove" ,but not to "query". I did it with servlet filter :

 public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
      FilterChain filterChain) throws IOException, ServletException {
    UserService userService = UserServiceFactory.getUserService();
    HttpServletRequest request = (HttpServletRequest) servletRequest;
    HttpServletResponse response = (HttpServletResponse) servletResponse;

    if (!userService.isUserLoggedIn()) {

        response.setHeader("login", userService.createLoginURL(request.getHeader("pageurl")));
     // response.setHeader("login", userService.createLoginURL(request.getRequestURI()));
      response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
      return; 
    } 

    filterChain.doFilter(request, response);
  }

My question is how to identify what request (I mean the request will route to which class and service )coming in ? There are some head fields contain the module name ,but I don't it is the security way to do. Is it possible to get RequestFacotry relevant class from http request ?

Thanks

Solution

  • It's hard to do this within the servlet-filter. Instead you can provide a custom decorator within the RF ServiceLayerDecorator chain. Implementation can looks like this:

    import com.google.web.bindery.requestfactory.server.ServiceLayerDecorator;

public class SecurityDecorator extends ServiceLayerDecorator {

  @Override
  public Object invoke( Method domainMethod, Object... args ) {
    if ( !isAllowed( domainMethod) ) {
      handleSecurityViolation();
    }
    return super.invoke( domainMethod, args );
  }
}

    To register the additional decorator, provide a custom RF servlet:

    import com.google.web.bindery.requestfactory.server.RequestFactoryServlet;

public class SecurityAwareRequestFactoryServlet extends RequestFactoryServlet {

  public SecurityAwareRequestFactoryServlet() {
    super( new DefaultExceptionHandler(), new SecurityDecorator() );
  }
}

    and register it in your web.xml:

    <servlet>
    <servlet-name>gwtRequest</servlet-name>
    <servlet-class>com.company.SecurityAwareRequestFactoryServlet</servlet-class>
</servlet>