doing security in the client would be wrong.
Remember you are doing client-server with GWT (not fatclient as
classical web technology does)
The client should ony receive data which are allowed for the current
user role. The client is never ever a trusted component!
So in the end any client based security concept (basing on annotation
or what else) is just a misconception.
The server is the only place where security can apply.
But GWT is mainly a client side topic.
Authentication based security or roles based security will never be a
GWT (client) topic
Stefan Bachert
http://gwtworld.de
On 30 Okt., 10:35, zixzigma <zixzi...@gmail.com> wrote:
> Hello everyone,
>
> I have some questions regarding implementing security in GWT.
>
> It's a typical use case:
> let's say in your app, users can have different roles,
> and you want to show only the relevant part of the UI, based on their
> role.
>
> and I am talking about more than 3 roles.
> eg:(Customer, BranchManager, Teller, CEO, System Admin)
> (after all GWT is for larger apps, right ? )
>
> on the back-end, i am planning to use Spring, and i'm going to use
> Spring Security,
> for authentication, fine-grained authorization, (method level, ACL),
> it is a very mature framework and annotation based.
>
> however, when it comes to the front-end UI, I don't know what is the
> recommended practice to incorporate role-based security in MVP. (i
> don't want the security checks get scattered across all methods on the
> client, bloated code, if statements everywhere, security is a cross-
> cutting concern, right? should i put it in the Activity/Presenter ?)
>
> I see GWT 2.1 release addresses security concerns, for cross-site
> scripting, and introducing SafeHtml.
> but nothing related to authorization.
>
> I would appreciate your insights and any feedback from google team,
> perhaps a tutorial addressing this aspect of application security is
> really needed !
>
> is it possible for GWT team to introduce annotation-based support for
> addressing security ?
> does it make sense at all, or i'm missing something.
>
> what have been your experiences in implementing security in GWT ?
>
> Thank You
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment