http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
This FAQ and the Security for GWT Applications article it links to should help. - Isaac On Wed, Jul 29, 2009 at 1:40 PM, Trevis<[email protected]> wrote: > > Ah, I understand your concern. > > Hm. Maybe someone with more GWT experience can chime in on this but > i'm thinking this. It's not like you have a simple hidden DIV in the > browser that you're deciding to show dynamically. You have a > javascript function that generates that div, which i'd imagine would > be a lot tricker to hack (though probably not impossible if the hacker > were properly motivated) Even still, what would the hacker have access > to at that point? He'd see the admin tab... but what could he do with > it? You should implement your security so that the admin RPC methods > also require some kind of authentication. This way, a determined > hacker may be able to see the tab but he still couldn't do anything > with it. Not knowing your exact application, this may have other > complications but that is the way that i'd probably be thinking of > doing it. > > I'd love to hear some alternative solutions as i'm pretty much in the > same boat as you are. I'm porting my first major application to GWT > and i've been going with the assumption that server based security for > the admin RPC's combined with obfuscated javascript will give me a > similar level of security to what i would get by traditional means. > (though arguably better since there will be no history trail to the > admin pages left in the browser since gwt allows you to not cause any > browser history footprint that you don't deliberately generate) > > On Jul 29, 12:27 pm, Nickelnext <[email protected]> wrote: >> Hello >> >> You suggest that when the callback gets the Onsuccess and the user is >> valid, i can simply add a new tab or panele or whatever making the >> Admin Area visible? >> >> Your solution would be perfect, and i thought of it yet but my >> question is: isn't it easily hack-able? I mean, inside the javascript >> that gwt compiles there would be also the admin area, so a malicious >> user could, with some tricks, retrieve the content and do some ugly >> things with my app, couldn't he? >> >> What i mean is: is this easy and fast solution also secure? Would be >> the part of the admin area untouchable if the user doesn't >> authenticate himself or there should be a possibility? Because if i'm >> not wrong, the solution you suggest isn't like one with, for example, >> a PHP page that renders a new html page with the private content, but >> the content is himself into the Application, cause the Admin Area tab >> (or else) is in the client code (and so in whoever's open my app >> browser). >> >> Sorry for my bad bad english, hope you get the point. >> Thank you! >> Nickelnext > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
