On Thu, Sep 1, 2011 at 11:56 AM, <[email protected]> wrote: > Thinking about it some more; it would be the easiest if GWT just started > serializing final fields across the board, and only skipped them if they > were marked with a GwtTransient.
> That is basically what the current patch does (except for ignoring sets > on the client-side). > Anything else requires making the server-side aware of the rpc.final.serialize value. Maybe that is easier than I'm imagining. Anyway, it'd be a breaking change, so perhaps it's not an option, but I > just thought I'd mention it. There is a risk that existing users were relying on current behavior to not send sensitive data in final fields across the wire, and changing it without some form of opt-in seems a security risk. It could be adding an <inherits> tag that sets a config property or annotating service interfaces/etc, but it needs to be opt-in. If the server needs to behave differently depending on this setting, then either it should be included in the RPC payload or in some deploy artifact, such as the serialization policy file. -- John A. Tamplin Software Engineer (GWT), Google -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
