For Request factory calls I can use ServiceLayerDecorator.invoke(Method domainMethod, Object... args) to check for every method that is invoked, if the user has a valid session and is allowed to access the method. What is the equivalent for RPC calls?
You could override AbstractRemoteServiceServlet.onAfterRequestDeserialized(RPCRequest)
/**
* Override this method to examine the deserialized version of the request
* before the call to the servlet method is made. The default implementation
* does nothing and need not be called by subclasses.
*
* @param rpcRequest
*/
protected void onAfterRequestDeserialized(RPCRequest rpcRequest) {
}
for your servlets. Maybe create a central MyBaseRemoteServiceServlet, where you override the method, and then derive all your remote service servlets from that. The RPCRequest should contain all the info you need, including the method that was called, and its parameters.