How do you check RPC and REST requests in GWT?



  • There is a frontend server on Tomcat with a user interface on GWT-Platform and backend server on Google AppEngine with a business logic. Requests are made through both gwtp-dispatch-rpc-client and gwtp-dispatch-rest. Authorization takes place through OAuth. It is not possible to do so through sessions when all was on the same server.

    Any idea how to make such secure requests from frontend to backend?

    UPD

    The sessions are backend. It's not clear how I find out on him that the request came from this client, because no information, at least rpc-dispatch, is available on the request. With REST, I think it's easier because I can send the token of the session in my request and what to do with RPC, I don't know.

    The question is even broader: As in RPC-Disptch, the request should be made not on the same server, but on a very different address, and on the request for the transfer of the token obtained from the authorization.

    I suggest that after OAuth the authorization should be redirected to frontend with token, for example, from the session. And then, transfer this token to every request.



    1. Server's got a client on the cuke. For Java That's it. JSESSIONalthough this is not a strict rule and it is possible to write its system of sessions. It's supposed to be impossible to intercept a cuisine. httpsIf you have an authentication and fake (that is, a set of more than 30 random symbols).
    2. C GWTP I've never worked, but it's about GWT RPC I can say that it serves not to make clear mapping requests. url♪ In fact, the search for the service on the server ' s side is carried out additionally http-head (I can't say so) that comes from the client. I mean, all the requests go for one. urlAnd then the move. GWT He's looking for a class and a method to be called by a reflexi. So turn the client on another one. url assistance RPC It won't work. It's only clear to make inquiries and send them. We can use it. http://www.gwtproject.org/javadoc/latest/com/google/gwt/http/client/RequestBuilder.html ♪
    3. As for sessions, there's a separate story. If you can get a request to another server, he won't know about the first server session. We could try to smash the first server session, but it's a flexible way. OAuth-tocken is not recommended for customers at all. There's only room for additional copying on the second server. It can be done by the background, more specifically, so the client doesn't see it. Although the client's side will be redirected when requesting a second server. But it'll only work if you've got everything on the same house. In fact, this is a separate topic.

Log in to reply
 


Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2