Friday, July 30, 2010

Re: Protected Page + PopupPanel

Typically, I like to avoid this problem altogether, and NOT allow the
user to see the GWT page
until they are logged in. The Login page is normal JSP, and I employ a
ServletFilter to check
that if the user tries to load the GWT page and is not logged in, they
get redirected to the Login
JSP. There is a specific reason I do this: People who are not
registered, valid, signed-in users
CAN NOT see the GWT JavaScript code, thus can not figure out how
to ... subvert the generated
JavaScript for evil purposes. I guarantee you that if I can see your
GWT JS, I can figure out how
to hack it to let me do something I shouldn't. Now, we just have to
worry about our real, valid
users, but then, they usually are not trying to hack something to get
IN. If they are, then you
have a problem with your CUSTOMERS, and not everyone of the Net' who
can see the JS.

My $0.02

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment