Search code examples
javajakarta-eegwthttprequestrequestfactory

ACLs for GWT Request Factory

I want to apply ACLs to all the requests going through my request factory. Therefore I override the RequestFactoryServlet and its doPost()-Methode. Now I can get the user from the session, check if his logged in and so on. But I also want to check his rights and only allow the user to call specific methods. So for example only admin users are allowed to call methods, which write data to the database.

Now my questions:

  1. Is the approach to override the ReqeustFactoryServlet the correct one?
  2. How can I find out, which method was called in the RequestFactoryServerlet? There is a method that reads somethind from the request: String jsonRequestString = RPCServletUtils.readContent(request, JSON_CONTENT_TYPE, JSON_CHARSET); But it only provides a very cryptic string.

My code would look like this:

public class MyRequestFactoryServlet extends RequestFactoryServlet {

    @Override
    protected void doPost(HttpServletRequest request,
            HttpServletResponse response) throws IOException, ServletException {

        HttpSession session = getThreadLocalRequest().getSession();
        User user = (User)session.getAttribute("user");

        // check rights for user and only allow some methods

        super.doPost(request, response);
    }
}
Solution

  • The solution is create standard RequestFactoryServlet with your ServiceLayerDecorator.

    In your ServiceLayerDecorator, you can override the invoke method.

    http://google-web-toolkit.googlecode.com/svn/javadoc/2.2/com/google/gwt/requestfactory/server/ServiceLayerDecorator.html

    However I would prefer do ACL in business object directly.