To easily hide/disable things from the user if he doesn't have access, we
created a custom class 'SecurePanel'
Assuming you are using uibinder, we then have something like this in our
ui.xml
<my:SecurePanel *role="admin"*>
<h2>Secure Page</h2>
<gwt:Button ui:field="mySecureButton" text="My very secret
button"></gwt:Button>
</my:SecurePanel>
Whatever is in SecurePanel will then show up only if the current logged in
user is an admin (meaning it will still be there in JS/HTML code, but just
hidden).
SecurePanel just extends HTMLPanel and has a setRole() method. In the
setRole() method, you just call this.setVisible(false) if the user doesn't
have the right role. In this case, we assume that role/access information is
global information accessible to SecurePanel.
This makes our lives pretty easy - no messy if / else in java code.
--Sri
On 16 April 2010 20:29, sven <[email protected]> wrote:
> Thx for your quick response.
> Of course the server shouldn't allow operations that the user isn't
> allowed to. I just wanted to know if it's possible to serve the
> browser only the code he is allowed to see.
> But you're right, even if an attacker can see methods it would be
> useless for him as long as the execution of functions is only allowed
> for certain roles or users.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google Web Toolkit" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected]<google-web-toolkit%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/google-web-toolkit?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
