roikkuf / gwtsecurity Goto Github PK

It would be nice to have gwtsecurity be able to resend the original rpc payload 
after successful login.

This way no data would be lost after a session timeout.

Is this possible?

GWTSessionAuthenticationException cannot be de-serialized because it doesn't 
nave a default constructor.  Please see attached patch.

While working with gwtsecurity it appears that sessions don't get created when 
allowSessionCreation = true in the doFilter method.

I have attached patch that seems to fix this issue.

Thanks!

version gwtsecurity-core-1.2.2

All loginable services swallow Server-side exceptions and there is no way to 
workaround.

Loginable services don't call onFailure method of AsyncCallback on Exception 
thrown by the remote service.

What steps will reproduce the problem?
1. Modify password of users admin and staff as follows:
    <user-service>
            <user name="admin" password="admin" authorities="ROLE_ADMIN, ROLE_STAFF"/>
            <user name="staff" password="staff" authorities="ROLE_STAFF"/>
        </user-service>
2. Run gssDemo2
3. Click on the 'Send' button next to 'whisperServer secured method(for 
ROLE_ADMIN)'
4. Login Box appears.
5. Enter Account=admin and Password=admin and click on Submit button.
6. Login fails and 'Error prone:Bad creden...' error is displayed in the login 
box.

What is the expected output? What do you see instead?
Expected Output: Login should be successful and Login box should disappear
Observed Output: Login fails and 'Error prone:Bad creden...' error is displayed 
in the login box.

What version of the product are you using? On what operating system?
Product Version: built from trunk using maven
Operating System: Ubuntu 10.10
Web Browser: Firefox and Chrome


Please provide any additional information below.
I monitered the requests sent by the browser using firebug and found that when 
admin/admin (username/password) is sent from login box the request's data is:
7|0|6|http://127.0.0.1:8888/demo2/|15EA1962E9203BB676A17298A13ABB0E|com.gwt.ss.c
lient.GwtLogin|j_gwt_security_check|java.lang.String/2004016611|admin|1|2|3|4|2|
5|5|6|6|
but when admin/user is sent from login box the request's data is:
7|0|7|http://127.0.0.1:8888/demo2/|15EA1962E9203BB676A17298A13ABB0E|com.gwt.ss.c
lient.GwtLogin|j_gwt_security_check|java.lang.String/2004016611|admin|user|1|2|3
|4|2|5|5|6|7|
It seems like GWT compressed the data and used used only one string literal for 
repeated parameters and used two references to it (see |6|6| at end of first 
request and |6|7| at the end of other)

With the release to the maven central repository we need to update the "Project 
Home" page on the google code site.

The JavaDoc link is now broken.  It needs to be updated to: 
http://gwtsecurity.googlecode.com/svn/javadoc/latest/index.html

We also need to change the dependency under the "Maven User" to be:

<dependency>
    <groupId>com.google.code</groupId>
    <artifactId>gwtsecurity</artifactId>
    <version>1.1.0</version>
</dependency>

What steps will reproduce the problem?
1. Login to an application
2. Wait for session timeout
3. Do any action that requires authentication

What is the expected output? What do you see instead?

The error message of the exception should be something like "Invalid session" 
or "Session expired because of timeout".
Right now it is "Session has invalid." - which is kind of meaningless.

What version of the product are you using? On what operating system?
1.2.0rc1, trunk

What steps will reproduce the problem?
1. Run any of the demo apps
2. Launch Firebug
3. Login
4. See that UID & Pwd are in plain text

What is the expected output? What do you see instead?
UID & Pwd would be encrypted

What version of the product are you using? On what operating system?


Please provide any additional information below.

After upgrading to gwtsecurity-core:1.2.0 loginable services don't call 
HasLoginHandler.startLogin(throwable) method at all


Indeed I've check the history of changes and found that 
com.gwt.ss.rebind.LoginableGenerator.java doesn't generate any line of code 
which would call "startLogin()" method.

I don't understand how your demos are working at all.

I have been working on session concurrency and it looks like the 
GWTSessionManagement class never calls sessionStrategy.onAuthentication().

My code seems to always return true at the getSecurityContextRepository call.  
I am not very familiar with aspectj but the SessionManagementFilter processes 
the filter chain first then checks the securityContextRepository for the 
context and it appears that the GWTSessionManagement class checks the 
securityContextRepository first then processes the chain.

It may be that the context is not getting released prior to the check.

What do you think about having the project added to the Maven Central 
Repository?  I have had some experience in this and could refactor the project 
to make use of the Sonatype servers located at http://oss.sonatype.org.

Basically you deploy your project to the Sonatype servers and then they 
synchronize with the Central Repo.

This would require us to change the pom to reflect the hosting location.  
Something like this:

<groupId>com.google.code</groupId>
<artifactId>gwtsecurity</artifactId>
<version>1.1.0</version>

I would also probably recommend changing the package definitions to reflect the 
changes to the groupId and artifactId.

What do you think?

I would recommend updating the pom.xml to gwtVersion 2.3.0.  It doesn't look 
like the 1.0.3 jar supports gwt 2.3.0.  If I change the pom to:

<gwtVersion>2.3.0</gwtVersion>

everything works again.

I would recommend creating a users forum at google groups for this project.  
Thanks!

I have created a patch that adds the following exceptions:

AccountExpiredException
AccountStatusException
CredentialsExpiredException
DisabledException
LockedException
UsernameNotFoundException

The patch moves the gwt exceptions into a separate package and refactors the 
GwtResponseUtil.processGwtException method.

The refactoring of the processGwtException method allows for easy addition of 
new exceptions that need to be added in the future by calling the 
createGwtException method.

I tried to provide the Chinese translation for my comments (using Google 
Translate) but they may not be correct.