If you only look at the parameters sent with the request, you're basically login in everyone as an administrator.
The remedy is easy: authenticate your requests, and use the authenticated user to filter data on the server-side.
Either let the browser do it (using cookies or HTTP auth) or do it yourself (create a "token" for the client and associate it with a user on the server-side, the client sends the token with each request, which authenticates it on the server-side; this is basically mimicking a cookie, just at another level).
Only way to authenticate as another user is to "steal" his "token" (so make sure you make them expire).
This is only the *first* step though; security is hard, and the above is clearly not enough to declare your application "secure".
-- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/8tRecW0podcJ.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment