In GWT application, how to secure my Places and Activities from unauthorized users?

Question

I have a GWT application using Activities and Places pattern to navigate throw different places in my application. In the application there are places where only authorized user can view.

The authorization mechanism is as follow:

1- user enters username + password

2- check the server for such user with provided password.

3- add Token in Datastore containing SID, username and expire date ( I am using GAE bwt )

4- Send the token to the Client.

Now, Before I allow user to Go to Place I should check if he/she is authorized,by check if his/her token is valid i.e previously saved in the store by authorization operation. I ended up with some ActivityMapper like this one.

public class ApplicationActivityMapper implements ActivityMapper {

  private ActionDispatcherServiceAsync service;

  private SecurityTokenProvider provider;
  private HashMap<Class<? extends Place>, ActivityPlaceMeta> placesActivitiesMap;

  @Inject
  public ApplicationActivityMapper(ActionDispatcherServiceAsync service, SecurityTokenProvider provider, HashMap<Class<? extends Place>, ActivityPlaceMeta> placesActivitiesMap) {

    this.service = service;

    this.provider = provider;

    this.placesActivitiesMap = placesActivitiesMap;

    this.placesActivitiesMap.put(PlaceNotFoundPlace.class, new ActivityPlaceMeta() {
      @Override
      public Activity getActivity(Place place) {
        return new PlaceNotFoundActivity();
      }
    });
  }

  @Override
  public Activity getActivity(Place place) {

    if (place instanceof SecuredPlace) {
      Token token = provider.getToken();
      service.dispatch(new CheckAuthorizationAction(token), new GotResponse<CheckAuthorizationResponse>() {
        @Override
        public void gotResponse(CheckAuthorizationResponse result) {
          if (result.isAuthorized()) {
            //here comes tht problem .... !!! 
            //how to return the place ???
          }
        }
      });
    }

    ActivityPlaceMeta returnedActivity = placesActivitiesMap.get(place.getClass());

    if (returnedActivity == null) {
      return placesActivitiesMap.get(PlaceNotFoundPlace.class).getActivity(new PlaceNotFoundPlace());
    }
    return returnedActivity.getActivity(place);
  }
}

Any other ideas ? Thank in advance.

Answer 1

With GWT applications it is not about securing a part of you UI, it is more about securing your server side that provides the data that is necessary for a certain place.

If some user goes to a place that require a login simply let the remote service fail to provide any data. Your presenter should then handle the failure and maybe redirect to the login place.

Of course you may want to limit navigation in your client if the user is not logged in and you can do so e.g. in your activity mappers.

Answer 2

Wrap your main ActivityMapper in a FilteredActivityMapper. Then in the Filter supplied to its constructor implement your authentication/authorization checks and return e.g. LoginFormPlace if no user is logged in.