DOJO+DWR+SPRING+AUTHENTICATION

Intro:

Download projectdwr-test.zip
Download WARdwr-test-war-1.0.0.war
Test (default weblogic install)http://localhost:7001/dwr-test-war-1.0.0/test.html
When promted type user name “weblogic” password “weblogic” for default weblogic install.


Screenshot.

This article shows how to implement pure AJAX application that does round trip communication to Java back end using custom DOJO widgets for client, DWR for JavaScript to Java communication and Spring that will manage back end Java objects.
Full Maven2 project is provided for download.

There are two ways of building AJAX applications.

  • Single page approach where the AJAX application get loaded one into browser and all of subsequent server side communications are AJAX calls.
  • Multiage approach where it is more like MVC2 where each JSP page served back to browser contains AJAX components.

The approach I like and took is Single page (1) because its more natural to client/server development where the only thing passed in-between is data.
But I wont be shy of using multi page approach if need arises.


The reason for technology choices:

DOJO – a very comprehensive cross browser JavaScript framework with good
support for packaging, AJAX, AOP like method interceptors, event handling and most
important built in and custom widgets that can be composed together much like in Swing.

DWR – you can use plain AJAX for client server communication or simply let
DWR marshal your JavaScript object to Java.

Spring – it is always my choice of Java integration/container framework.

The project I put together is J2EE Web application which contain Java back end components and simple html file that will bootstrap our Dojo widget which in turn will use DWR to communicate back to Java backend (no JSP is involved).
In addition I incorporated Servlet security to show how to authorize your Dojo app user against Java back end.

DOJO:

In earlier Dojo releases no custom widget could have been developed outside of Dojo source package. This was fixed in latest releases where it is possible to move custom
widget code base outside of Dojo package but with one restriction which is the custom package needs to share same parent directory as the Dojo package, like this:

js/dojo/src (dojo packaging)
js/app/widget (custom packaging)

Dojos recommended packaging structure for custom widgets is “namespace/widget” directory structure. From above directory layout “app” is will be our namespace.
Theoretically it is possible to have deeper directory structure for custom widgets after “app” directory but it never worked for me.
For more information how to Dojo finds custom package look at “manifest.js” file under “app” directory and widgets themselves.
Included with the sample project is non widget code that shows how to package non widget package outside of Dojo (yes it is different), it is under “js/app/common/data”.

One of issues I had with Dojo is its documentation. Most of my time was spent on investigating widget API which is close to impossible with dynamic nature of JavaScript.
The best place to get familiar with Dojo is DojoBook, to see Dojo widgets in action and how to use them look here http://archive.dojotoolkit.org/nightly/tests/widget/ (click on links that start with “test”) and finally the discussion group can be found at http://news.gmane.org/gmane.comp.web.dojo.user.

- dojo.debugDeep(obj) is quite a useful utility which will pop up dialog and allow to drill down the object properties. This helps a lot when you are dealing with object of unknown type.

DWR:
What I like about DWR java support is that it is very straightforward (more like Spring Framework, I think it should be integrated more into Spring at some point).

DWR allows different ways of exposing Java objects, one of which is exposing them through Spring context. For more info check out “WEB_INF/dwr.xml”,
“WEB-INF/servlet-context.xml” and “web.xml” to see how DWR gets integrated with our Service objects.
Official DWR/Spring examples can be found here http://getahead.ltd.uk/dwr/server/spring.

In a nutshell we use DWR Servlet that will find Spring context previously loaded by configured Servlet Listener and automatically marshal JavaScript to Java calls
probably using JSON underneath.

Security – Authentication and Authorization:

JavaScript has always been regarded as a security issue. One of the main issues DWR lists is that anyone from outside can call Java objects which are exposed through DWR and JavaScript.
Personally I consider this more of generic Web client/server security issue which is commonly solved in J2EE Web clients thought Servlet security model.
Since our Dojo widgets are loaded from Servlet container we can secure them same way as we secure JSPs and Servlets. All we have to do is tell Servlet container
to secure html file that bootstraps Dojo widgets so that when we first access it the container will prompt for user name/password.

DWR can automatically pass “HttpServletRequest” object from which we can get logged in user for further authorization (check http://getahead.ltd.uk/dwr/server/javaapi for more information). This does pollute Service interface but we have to threat this object more like JavaScript proxy which will delegate calls to actual Service object that contains actual business logic.
Current implementation uses BASIC Servlet authentication but it should be easy to change it to FORM based and embed into our DOJO widget.

Download projectdwr-test.zip
Download WARdwr-test-war-1.0.0.war
Test (default weblogic install)http://localhost:7001/dwr-test-war-1.0.0/test.html
When promted type user name “weblogic” password “weblogic” for default weblogic install.

Note:
Looks like Tomcat authentication does not like

<role-name>*</role-name>

defined in web.xml.
To get authentication working on Tomcat change

<role-name>*</role-name>

to

<role-name>user</role-name>

in web.xml and add “user” to “conf/tomcat-users.xml” like this:

<?xml version=’1.0′ encoding=‘utf-8′?>
<tomcat-users>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <role rolename="user"/>
  <user username="user" password="user" roles="user"/>
</tomcat-users>

7 comments to DOJO+DWR+SPRING+AUTHENTICATION

Leave a Reply

  

  

  


two + 5 =

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>