One way is to use a dynamic host page instead of static HTML: http://code.google.com/webtoolkit/articles/dynamic_host_page.html
You can also use a non-GWT auth mechanism like a servlet filter and redirect to the GWT app after successful authentication. But fundamentally, you shouldn't ever trust the client, so you should write your GWT app so as not to expose "secrets" in the JS code at all. On Mon, Mar 21, 2011 at 11:37 AM, Nuno Teodoro < [email protected]> wrote: > Hi all, I've seen this a problem (or best practice) that should be > addressed which relates with OWASP's GWT presentation where they sate > that: > > Are the {HEX}.cache.html files accessible by unauthenticated users? > Is the login functionality implemented using GWT RPC? > If yes, the {HEX}.cache.html file will be leaking out information to > unauthenticated users! > > How one should prevent the {HEX}.cache.html to be accessible by > unauthenticated users? > > Best regards > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- David Chandler Developer Programs Engineer, Google Web Toolkit w: http://code.google.com/ b: http://googlewebtoolkit.blogspot.com/ t: @googledevtools -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
