Tuesday, October 30, 2012

Re: Security considerations for GWT applications

Hi Joseph,

Did you post that GWT webapp running on Spring Security somewhere?  I have the Spring Security books its major shortcoming is that it doesn't cover GWT at all.  It would be great to have some good comprehensive examples of GWT using Spring Security.


On Saturday, October 27, 2012 12:06:32 PM UTC-6, Joseph Lust wrote:
FYI, I just setup a GWT webapp running on Spring SecuritySpring Security covers much of the above and more:
  • Session Fixation prevention
  • Easy to enforce HTTPS channel filters to force parts of site to run on SSL
  • Facilities to persist (totally random) remember me tokens to database so they cannot be hacked/spoofed
  • Easy to implement custom hashing/salting classes
  • Request caching to auto-relogin and execute original request
  • Easy clearing of all session/cookie information on logout/expiration
  • Invalid session detection/handlers
It's fun to role all of your own security, and I've done it, but just implementing a few interfaces and changing some XML is far easier and I trust Spring more than I do myself to reinvent the wheel.

P.S. If you want autocomplete on login fields, you'll need to hide input fields in the html page and then pull those values to complete your GWT login form. It's been my experience that the browser only autocompletes saved passwords at page load, but does not complete form elements later inserted into the page.


You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/YEkfpvsiUuUJ.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment