That's the reason why you need to check credentials/security at your backend (which is serving the data to your GWT client). You must not rely on the client because you can't control what the client does. How is the login done ? Do do you post the login form to the backend and generate a session ? If so, you must make sure that the backend call which retrieves the data that is going to be displayed on your AdminPlace is authenticated and authorized. In addition you redirect the user to an error page when the user is not admin/authenticated on the client. But that's optional. If the backend is properly secured the user sees a blank AdminPlace.
On Monday, June 6, 2016 at 1:47:47 PM UTC+2, Olar Andrei wrote: > > Hello, > > For now my aplication (MVP) has a login page, and 2 other palces, the > AdminPlace and the UserPlace. > My URL looks like this: > > http://127.0.0.1:8888/AdministrareBloc.html#AdminPlace:Admin > > The login form consists of username and password, where the username is > passed as a token to the next Place. > A user can't connect if he does not know the password, but let's say I'm > logged in like in the link above. If I change the Admin to Admin2 or > whatever, I still can see the page content. I don't want this. How can I > avoid this ? > > Thanks in advance > > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/d/optout.
