On Jan 28, 2008, at 12:09 PM, Abdul Qabiz wrote:
I would not do any such role-based things on client, it's very easy
to spoof http packets and a normal user can get access to Admin UI...
Just be careful with that... If you have solid way to avoid any
such security issues, go ahead.
-abdul
Well ... that'd only be the case if the developer was so out-of-touch
with security as to not use authentication on the server to actually
allow the user to perform administrative requests.
Personally, I use modules loaded in for various authenticated
operations. Those modules are only available through a servlet that
verifies the user and session. Only then will the modules be allowed
to get sent to the client.
Additionally, the paths that are used (aside from authentication) are
dynamically sent to the client and not embedded in the client side
application. This adds an additional level of 'security.'
cheers,
jon