Agreed. What the client sends to the server can be the wild west. Never
trust it.
My recipe, YMMV, but my apps hide display of access limited objects on the
client side(all are there in the js) but more to avoid confusion to users
than as a security measure. The real security is on the server side that
they cannot alter with js live editing tools or faked GET/POST/RPC requests.
When they first login I get access privs from the datastore and put them
into the server session attribs as well as pass them back to the client to
control widget display per access.
Client side:
if (hasAccess(clientSession, const.SUPER))
showWidget();
Server side:
public boolean doSomething() throws AccessException
{
HttpSession sess = getThreadLocalRequest().getSession();
if (hasAccess(sess,const.SUPER))
return(doSuperThing());
else
throw new AccessException("Access denied!");
}
Comments welcome. Always looking for a better mousetrap. :-)
-William
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/google-web-toolkit/-/7eCBXy3XPOMJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
