There is a frontend server on Tomcat with a user interface on the GWT-Platform and a backend server on Google AppEngine with business logic. Requests are executed both via gwtp-dispatch-rpc-client and via gwtp-dispatch-rest. Authorization happens through OAuth. Previously, when everything was on the same server, sessions were used, now it’s impossible to do it with the help of sessions.

Any idea how to make such secure requests from the frontend to the backend?

UPD

Sessions are working on the backend. It is not clear how I find out that the request came from this client, because the requests do not convey any information, at least in rpc-dispatch. With REST, I think it’s easier because I can send a session token in the request itself, and I don’t know what to do with RPC.

The question is even broader: how to specify in RPC-Disptch that the request should be made not to the same server, but to a completely different address and how to send the token received as a result of authorization in the request.

I assume after OAuth authorization to redirect to the frontend with a token, for example, obtained from the session. And then, transfer this token to each request.

  • It is not clear what your problem is. Session you should have no matter where your frontend. Explain your question in more detail. - Temka, too,
  • Thank you clarified the question. - Alex Po

1 answer 1

  1. The server recognizes the client by cookie. For Java this is JSESSION , although this is not a strict rule and you can file your session system. It is considered that a cookie cannot be intercepted (since you must use https if you have authentication) and counterfeit (because it is a set of more than 30 random characters).
  2. GWTP have never worked with GWTP , but with regard to the GWT RPC I can say that it serves to avoid making explicit url mapping. Actually, the search for the called service on the server side takes place with the help of an additional http header (I can’t say for sure) that comes from the client. Those. all requests go to the same url , and then the GWT engine searches for the class and method to be invoked with the help of reflection. Therefore, to turn the client to another url using RPC during a call does not work. Here it is only clear to create requests yourself and send them. You can use RequestBuilder .
  3. Regarding sessions in general, a separate story. If you can transfer the request to another server, it will not know about the session of the first server. You can try to fumble the session of the first server, but this is a bad way. OAuth-token is generally not recommended to transfer to the client. It remains only to make additional authorization on the second server. It can be made a background, more precisely so that the client did not see. Although on the client side there will be redirects when requesting a second server. But all this will work only if you have everything on the same domain. Actually it is a question of a separate topic.
  • Only the first point is clear. As for the second, then in GWT you can do so. The third point is not quite understood. - Alex Po
  • @AlexPo, the link from the second paragraph describes the mechanism for implementing cors, which has little to do with this issue. Regarding the third, ask clarifying questions. - Temka, too,
  • But don't I do Cross Origin Request from one domain to another? - Alex Po
  • @AlexPo no, you redirect to another domain - Temka too
  • I make a request to another domain in order to obtain data - Alex Po