The idea behind security is simple, trust no one and trust nothing... only when who ever tries to access and authenticates them self and is authorized to access what ever it is the are attempting to access allow this action.
So try and hide anything that a user should not have access to. This will prevent them form attempting to access this and limits the number of errors or warnings you will have to show. Always check the credentials on every single call don't assume that due to the user having access to a button they must have the rights check these rights instead. If at all possible do not provide access at all the more access you have to give the more likely it is this will be abused. If you think you are being paranoid you need to look for another job you can never be paranoid enough ;-) In all honesty I think that GWT is not a very good platform for secure applications for the simple reason that a lot of the hiding of functionality happens on the wrong system (the client side). Now there is a lot to say against security trough obscurity but look at it this way if you had never seen or heard a bout an iPhone or iPad would you want one? Exactly 99% of the people would say no to that and that means a big reduction in the number of people that might try and get one... If you are working on a system that should be as secure as possible I would advocate against GWT simply because as originally said most of the hiding of functionality happens on the wrong system which means that attackers gain a lot of knowledge that would otherwise be just that bit harder to come by. Of course there is nothing stopping them from gaining this knowledge anyway, but every hurdle is one more reason to leave your site for what it is and try to mess with your neighbors site instead. No matter how many people advocate against the obscurity argument less information is the reason wars have been lost and in this day and age where information makes Google... restricting access to information means slightly more security for your site no matter which way you look at it. On Fri, Jul 8, 2011 at 9:09 PM, David Chandler <drfibona...@google.com>wrote: > Agreed! Don't show the button if the user doesn't have permissions. But > also check perms on the server to protect against hackers. > > /dmc > > On Fri, Jul 8, 2011 at 2:54 PM, Alberto Sarubbi <asaru...@gmail.com>wrote: > >> we actually protect EVERY call to our server validating the user >> rights before proceeding to the service execution. >> >> it just doesn't seem right to show a user a button that he can't click >> because he don't have the permission to do. >> it sounds more logical not showing the button at all. >> of course, validations on server side will catch any click on a >> forbidden button, then comes the question: why would i show >> the button then?.. >> >> >> thanks for the advice people. may be i just don't get right the js gui >> development yet :) >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google Web Toolkit" group. >> To post to this group, send email to google-web-toolkit@googlegroups.com. >> To unsubscribe from this group, send email to >> google-web-toolkit+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/google-web-toolkit?hl=en. >> >> > > > -- > David Chandler > Developer Programs Engineer, GWT+GAE > w: http://code.google.com/ > b: http://turbomanage.wordpress.com/ > b: http://googlewebtoolkit.blogspot.com/ > t: @googledevtools > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-toolkit@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
