Unless your problem is truly unique, I'd probably not go the route of deferred binding to solve this problem. Not for the reason you mention; compiling many modules for deployment is not really a big deal, disk space is cheap. But I think it will make your architecture and testing far more complicated than it needs to be to solve your problem.
In most cases, the buttons, tabs, etc themselves aren't highly secret things that you have to protect at all costs, but the data and operations contained therein are. So it's not a big deal if your javascript contains code for the button "Delete All Users" or a tab "Secret Financial Data" that it only creates for super admin users, as your server should be enforcing for the given role whether the operation is allowed. Even if someone spent the time to hack the code to find and expose that button or tab, it's useless because the server simply won't allow the operation or supply the data to fill the tab. You have to enforce the latter on the server side in any case, to prevent hackers accessing data through direct calls. So I'd recommend something where all the UI components in your app contain their allowed roles, and are only created if the particular user has the role. Yeah, the downloaded code may be a little bigger because it has the code for all users. And yes a determined hacker could browse through tons of obfuscated js code and discover what a super admin interface would look like, but they wouldn't be able to use it. Or if you really do care about that, then go with deferred binding or code splitting to prevent particular code from even being downloaded, at the expense of a more complicated architecture. On Apr 16, 7:02 am, sven <[email protected]> wrote: > Hello everybody, > I'm doing right now my first steps in GWT and my task is to build a > rolebased authorisation for a GWT application. > > The goal is that users can login into the GWT application, but the > users have no rights. They gain their rights through a role, that is > linked to a user. Every role has of course different rights in the > application and according to their rights, certain buttons, tabs, > textareas etc. should not be shown up, if they have no right for it > (it should not be solved in the javascript code and set as hidden if > the role has no right for it, this kind of right's management should > be performed on serverside). > > I've read now about "deferred binding" in GWT and it sounded for me as > the feature I was looking for, because GWT creates then a customized > application for this certain role. When this role is logging into the > application it can decide what kind of application should be send to > the browser. But do I understand it right, for 10 different roles, > there would be 10 different applications that have to be compiled and > stored? > > If this is true, this would be a waste of ressources on the system. If > you have 2 different languages, 4 different browsers, 10 different > roles there would be 80 different applications to compile that could > be delivered? > > Is there another way to get a rolebased authorisation in a GWT > application? > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group > athttp://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
