The server side classes get compiled to bytecode, like most webapps. The client side classes get compiled to bytecode and then combined into javascript. And then the bytecode goes in your WEB-INF/classes dir, and as others have said, the outside world shouldn't have access that dir.
Since the client side gets magically transformed into JS, don't have any Strings or constants under the client package that you don't want your users to see/fuzz. Also, by all means sanitize your data in the classes under the server package. Don't pass in variables blindly. Later you can add some client side sanitizing if you want, but compared to the server side, it's not necessary. Use prepared statements, etc etc, profit! On Tue, Jun 9, 2009 at 9:58 AM, Peter Ondruška<[email protected]> wrote: > > As with anything unless you test you are never sure. For example there > used to be a bug in Jetty long time ago which allowed access to > WEB-INF content. This is fixed but such a bug can be introduced with > other containers as well. Just my €.02. Peter > > 2009/6/9, mnenchev <[email protected]>: >> >> WEB-INF is privete directory, no one outside could access it. So, >> storing username and pass there is totally secured, but i have never >> tried it. As i told you it is secured dont warry. >> >> Sean wrote: >>> So, not to be paranoid or anything, but there are no tricks or >>> anything to get into the WEB-INF folder and beyond? If I try to access >>> it from a browser I do get the 403 (FORBIDDEN) error, I just want to >>> make sure there's no quick turn around for that. I guess I lied, I am >>> paranoid. Thanks for your help! >>> >>> On Jun 9, 7:55 am, mnenchev <[email protected]> wrote: >>> >>>> Every thing witch is in your server package is on the server, so no one >>>> could access your private data. It is like in hibernate, that has >>>> hibernate config file where the user and pass are stored. This config >>>> file is on the server and no one has access to it. >>>> >>>> Sean wrote: >>>> >>>>> In regards to using RPC's to access a database, I am worried about >>>>> security. I'd love to use an RPC to access a DB, but what I can't >>>>> figure out is how to store the name and pw of the DB. I'm afraid if I >>>>> put it right in the code someone could just read it. If I try to read >>>>> it from a file, I'm afraid that they will see the path to the file and >>>>> read it. >>>>> >>>>> Is it secure enough to put the PW in a locked directory from the >>>>> outside world and read it? I'm afraid it'd be too easy to break in. >>>>> How do you do it? >>>>> >>> > >>> >> >> >> > >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
