I've been struggling with how to integrate spring security with GWT. I don't have very much experience with using spring security and have been going in circles. After adding spring security with two additional files to configure it, I was able to show a login page and authenticate the user. However, as soon as that happened, the application failed to load because GWT uses POST requests to access the RPC. As it turns out, this isn't a sign that the configuration failed. Spring security expects a CSRF token on post requests to prevent security problems ... GWT doesn't insert this token when accessing the RPC... and so we get a forbidden error. Disabling csrf in the config for spring security is also not working.
I next tried using GWT's XSRF protection ... again I'm not very familiar with web application security. I thought if I did this, then my application would be able to tell spring security the csrf that it expects. This turned into a frustrating chicken and egg issue. To get the XSRF token, gwt does a POST request ... which is blocked by spring security.
Spring security examples that I've found have been for standard web applications, as opposed to GWT's host page mechanism.
I think the final solution is going to be:
- Use spring security as a gate keeper to the application
- Spring security needs to be configured to override a bunch of things, along the lines of https://crazygui.wordpress.com/2014/08/29/secure-rest-services-using-spring-security/
- After authenticated, the application is responsible for maintaining security within itself
- We can use the XSRF here for additional security
- maintain session information for the authenticated user
So why even use spring security and not just wire up my own login screen etc? Spring security I think will be more flexible and give more options later down the road.