Over a million developers have joined DZone.

Secure Your GWT App Easily

DZone's Guide to

Secure Your GWT App Easily

Free Resource
Securing GWT web-app is very easy -as   most of application layer code is residing in client-side as javaScript .You use backend services to fetch or update Data .Now you have to just decide who can access a particular service but better Idea is to make your access fined grained at method level.You must consider to use fine grained security as GWT  app is effectively  AJAX app - and one  page can call many service method .

Here I am using Spring AOP to seperate bussiness login from Security.

Our Domain Model is like - 

//User have a role 
public class User {
 private Role

  //other code. 

//A role has a collection of permissions
public class Role {
  private String name ;
  private Set

Here I am setting permissions to Role ,so that while setting Security level to a method access ,Developer has to just worry about permission .

public class Permission {
  private String name;


Now lets write a custom Security annotaion

 //retention is set to runTime to that runtime code would have this annotation 
//if you wont set Retention to runtime  this annotation  wont work
//this annotatation you can put on method

public @interface RequirePermission {
  String value();

Now lets write An around Aspect using SPRING-AOP


public class  checkPermissionAspect {

   //an utility class to decide if current logged in user has Permission
   @Autowired PermissionHandler permissionHandler
   //I am using around advice because it has to decide whether to  call target method or not depending on Permission 
   //this advice targets methods annotated with 'RequirePermission' on a Class annotated as @Service
   @Around("@target(org.springframework.stereotype.Service) && @annotation(RequirePermission)")
  public Object handlePermission(ProceedingJoinPoint joinPoint, RequirePermission permission){
      if(permissionHandler.doesCurrentUserHasPermission( permission.getValue)){
           return joinPoint.proceed()
      }else {
		throw new AccessException("Current user does not have required permission");


Now lets write an example service for a on-line shopping web-application -

public class  OnlineOfferServiceImpl implemets OnlineOfferService {

        //you can give this permission to admin of Store and to Manager or to few employees 
	public void addNewOffer(){
       //you can give this Permission to just admin 
       public void deleteOffer(int offerId){
       //you can give this permission to everyone other than guest
       public List


So this way developer has to just think about Permission while Securing a method and need not to worry about ROLE .Also this gives fine grained control.You can assign any Permission to any Role and you can change it later in database and you need not to make any code change in your service.


Opinions expressed by DZone contributors are their own.


Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.


{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}