just my 2 cents: > 1) Even though users cannot execute, for example, administrative RPC > methods, by reverse engineering the JavaScript they may still be able > to read sensitive information regarding the format or nature of the > available administrative requests. Careful developers may be able to > avoid revealing such information, but it may not be easy to instruct > every developer on the team on how to avoid revealing subtle but > security-sensitive clues about the system.
hiding or obfuscating will not stop a detrmined attacker anyway, so there's no reason to worry about that. that does of course not mean, that you shouldn't do it, if it's easy: e.g. of course use the OFB mode when compiling the GWT app just make sure, that all service methods are properly secured on the serverside > > 2) Some users will download code that they will not necessarily > execute, making the application needlessly larger. RunAsync should help * if the user doesn't have the required permission to e.g. open an admin view, then hide the button or menu-element - the user will not see it and it will not get downloaded * if an admin is logged, in you'll of course show the button/ menuelement and if she clicks the button, RunAsync will kick in and the relevant code will be downloaded --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
