We are building a big gwt app with lots of JavaEE elements..
Our structure so far contains the following:
We thought about JAAS for our security layer, because then we do not have to reinvent the wheel again and TomEE supports that already.
My big question is: What is the best way to use Jaas within GWT?
The problem is, that Jaas thinks of servlets and routes and is good if you have an MVC approach. But what if we had just one big servlet, our GWT app, which uses places/activities inside and doesnt act like Jaas thinks?
Possible approaches:
Does anyone have experiences with GWT and Jaas? What is the best-practice approach for reusable security with GWT?
Links I found so far:
some security in web.xml, but only google stuff: https://developers.google.com/appengine/docs/java/config/webxml#Security_and_Authentication
we do not want to use spring: GWT: How to download EntryPoint after authenticating?
Example with multiple modules: https://github.com/ashtonthomas/GwtAdvancedLogin/tree/master/src/com/acrinta/client/login
If your app requires the user to be authenticated, then definitely go with a <login-config> <auth-method>FORM</auth-method>; then you (almost) don't need to care at all in your GWT client-side code.
And for server-side code, to make it easier to process sign-outs on the client-side, then don't protect your GWT-RPC (or RequestFactory or whatever) servlets using <security-constraint>s but just use a filter that checks whether the user is authenticated (getUserPrincipal() != null) and then responds with a 401 status code.
You can find an example configuration of that with RequestFactory, in the form of a Maven archetype, at https://github.com/tbroyer/gwt-maven-archetypes, in the guice-rf-activities archetype:
web.xmlRequestTransport to handle errors from the filter. If you use GWT-RPC, you'd have to implement that logic in the onFailure of all your AsyncCallback, when you get a StatusCodeException.