Friday, July 30, 2010

Re: Protected Page + PopupPanel

Typically, I like to avoid this problem altogether, and NOT allow the
user to see the GWT page
until they are logged in. The Login page is normal JSP, and I employ a
ServletFilter to check
that if the user tries to load the GWT page and is not logged in, they
get redirected to the Login
JSP. There is a specific reason I do this: People who are not
registered, valid, signed-in users
CAN NOT see the GWT JavaScript code, thus can not figure out how
to ... subvert the generated
JavaScript for evil purposes. I guarantee you that if I can see your
GWT JS, I can figure out how
to hack it to let me do something I shouldn't. Now, we just have to
worry about our real, valid
users, but then, they usually are not trying to hack something to get
IN. If they are, then you
have a problem with your CUSTOMERS, and not everyone of the Net' who
can see the JS.

My $0.02

You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

No comments:

Post a Comment