I have a GWT application that among many things shows PDFs that are stored
on the server side. I have a security related question, as described below.
When a user logs in through a dialogue on the client side, I make a note of
the userid they entered while processing the login on the server side.
This is all done through the normal GWT RPC Infrastructure:
HttpSession session = getThreadLocalRequest().getSession();
session.setAttribute("USER", userId);
I have a separate servlet that is responsible for locating and delivering
PDF content back to the browser when requested. When the user clicks a
button in the GWT client, I open a new browser window and address the
servlet to produce the desired PDF. A reference to the name of the PDF
required is stored in a client side cookie (and transmitted in the HTTP
request).
Window.open(GWT.getModuleBaseURL() + "Showpdf", "PDF Viewer", "");
The servlet needs to check whomever is making the request is authorised to
view the PDF requested, and checks the user name stored in the HttpSession
earlier:
HttpSession session = request.getSession();
String user = (String)session.getAttribute("USER");
// Do whatever is required to check the user can access the required PDF
Is this approach is safe from hacking? Is there a way the user name can be
spoofed by a hacker to gain access to a PDF they are not authorised for?
Is there another way of doing this?
Thanks
Simon
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/google-web-toolkit/-/qPvb-wP7YFIJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
