Overview of basic call flow and authentication for server-side calls.

All GWT services must implement AuthorizationCheckRemoteServiceServlet. This handles checking to ensure that a client is authorized to use a call. Services must also implement the getAuthorizationEngine() call if their methods require any type of authorization beyond a client being logged in to PAWN.

Basic Call Flow

1. Service is instantiated, constructor may call setContextRequired(false) if methods in the service do NOT require an authenticated user. Currently only the login service has this set. (default: required)
2. AuthorizationCheckRemoteServiceServlet.processCall decodes client request
   1. Logging MDC, method name and session set
   2. extract AuthenticationContext from session
   3. if AuthenticationContext is not present and context is required throw AccessDeniedException to client
   4. if getAuthorizationEngine returns non-null ServiceAuthorication, call checkAuthorization with context, method, and method parameters. ServiceAuthorication will throw an AccessDeniedException or IllegalArgumentException if a client is not authorized or passes bad data.
   5. call method with parameters. Any results and expected exceptions are encoded and returned to client. Declared exceptions should be logged by client prior to throwing.
3. Any unexpected/runtime exception is logged and thrown back to the client.