I would say that every Web Application which has its security only inside the Frontend (Browser) is per default insecure. If an evil person is smart, he can manipulate the JavaScript and make invisible forms visible, submit not verified data and can change the current userid & password when stored inside the client.
To prevent this you have to include business-security, i am using spring security and have collected very good experience with it. Inside the business-site, think that every incoming request could be manipulated, so you have to add strong verification processes. With spring security you can manage roles and permissions inside the SecurityContext (located on the server) which is much more secure than implementing RPC with username & password as values. On 28 Okt., 16:48, Open eSignForms <[email protected]> wrote: > Not necessarily a GWT question, but GWT certainly makes use of many > widgets that contain data perhaps downloaded over SSL from a secure > web site. The data is obviously in the clear inside the web browser, > which is expected and fine. > > But are there any security issues if someone frames your web site or > otherwise gets the same web browser page to load javascript from > another web site, can the other web site's javascript work through the > DOM or the JS global pool to find all the data? > > Would it be bad practice for the GWT client to keep the userid and > password used to authenticate so it can send them in every subsequent > RPC, both to defeat session hijacking (rather than sending a server- > side token that closely mirrors the session id) and as a way to allow > the client to auto-login itself should the request come in when the > server has already terminated its session (either because it expired > or was restarted, etc.)? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
