Friday, July 30, 2010

Re: Protected Page + PopupPanel

On 30 July 2010 21:27, Dean S. Jones <> wrote:
> Sorry, again, looking at your above example, to make my point
> clear, using Firebug I can find (!user.isAuthenticated()) and any
> a JS debugger to subvert it. GWT obfuscates JS code, but
> anyone with 1) curiosity and a brain, 2) ulterior motives , this
> is a cakewalk.
> Think about it.
> and
> NEVER TRUST THE CLIENT. Always verify every action for permission
> on the server side.

Very true and I thought about that. My reasoning is that without a
user token there will be no "interesting" data available (it's still
on the server) so there is no leak. And anyone can sign up for an
account so if a bad guy just wants to have a look at the JS code then
they can get it. Do you think there is a flaw in my logic?

You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

No comments:

Post a Comment