Ah, I understand your concern. Hm. Maybe someone with more GWT experience can chime in on this but i'm thinking this. It's not like you have a simple hidden DIV in the browser that you're deciding to show dynamically. You have a javascript function that generates that div, which i'd imagine would be a lot tricker to hack (though probably not impossible if the hacker were properly motivated) Even still, what would the hacker have access to at that point? He'd see the admin tab... but what could he do with it? You should implement your security so that the admin RPC methods also require some kind of authentication. This way, a determined hacker may be able to see the tab but he still couldn't do anything with it. Not knowing your exact application, this may have other complications but that is the way that i'd probably be thinking of doing it.
I'd love to hear some alternative solutions as i'm pretty much in the same boat as you are. I'm porting my first major application to GWT and i've been going with the assumption that server based security for the admin RPC's combined with obfuscated javascript will give me a similar level of security to what i would get by traditional means. (though arguably better since there will be no history trail to the admin pages left in the browser since gwt allows you to not cause any browser history footprint that you don't deliberately generate) On Jul 29, 12:27 pm, Nickelnext <nickeln...@gmail.com> wrote: > Hello > > You suggest that when the callback gets the Onsuccess and the user is > valid, i can simply add a new tab or panele or whatever making the > Admin Area visible? > > Your solution would be perfect, and i thought of it yet but my > question is: isn't it easily hack-able? I mean, inside the javascript > that gwt compiles there would be also the admin area, so a malicious > user could, with some tricks, retrieve the content and do some ugly > things with my app, couldn't he? > > What i mean is: is this easy and fast solution also secure? Would be > the part of the admin area untouchable if the user doesn't > authenticate himself or there should be a possibility? Because if i'm > not wrong, the solution you suggest isn't like one with, for example, > a PHP page that renders a new html page with the private content, but > the content is himself into the Application, cause the Admin Area tab > (or else) is in the client code (and so in whoever's open my app > browser). > > Sorry for my bad bad english, hope you get the point. > Thank you! > Nickelnext --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---