Server Implementation

On server side I use spring, in this case spring boot. I want to show here some special usage depending on the GWT integration, which is primary based on the excellent work of Mrabti that can be read in his blog Secure REST services using Spring Security. What I've changed is to extract conversion of the data to external converter, so you can use LoggedInChecker and AuthSuccessHandler project independend.

Security

CSRF/XSRF protection

The CsrfCookieHandler handles the security cookie, is included into the WebSecurityConfig additional to the csrf header filter. That's all, you needn't change anything in the rest controllers.

Input validation

Do it the easy way, just add a @Valid annotation to the controller parameter, as you can see in the SepaController. The controller has nothing else to do, a global RestErrorHandler catches the MethodArgumentNotValidException and pushes the validation results to the client. In the controller you can be sure the input is valid and simply work with it.