On 3 juil, 06:59, ytrewqsm <[email protected]> wrote:
> I read this on with several ocassions while reading about GWT.
>
> Now can anyone clear this for me ?
>
> 1)What this means that on server side is recommended not to use
> servlet session ?
To keep things simple: yes.
> 2)How can i secure the application if the client only has state and
> server is stateless ?
I don't understand... Read about "REST", it says it all.
> 3)BTW Each time i pass credential on method calls ? Is that not
> something insecure ?
How would you do it otherwise?
Having a stateless server doesn't mean you have to send username/
password on each request; you could very well establish a first
handcheck and then send an auth ticket on each call. I'd say that for
this handcheck you *could* use a servlet session (that would be the
only exception when you could use one), though I wouldn't recommend it
security-wise (search for CSRF, e.g.
http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf
)
> 4)How can those be passed securely ?
See above.
But in a few words, when one talks about a stateless server, one
generally don't talks about authentication, as this requires some sort
of "shared state" to make it secure.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
