Re: How to make my app more secure. URL token

That's the reason why you need to check credentials/security at your backend (which is serving the data to your GWT client). You must not rely on the client  because you can't control what the client does. 
How is the login done ? Do do you post the login form to the backend and generate a session ? If so, you must make sure that the backend call which retrieves the data that is going to be displayed on your AdminPlace is authenticated and authorized. 
In addition you redirect the user to an error page when the user is not admin/authenticated on the client. But that's optional. If the backend is properly secured the user sees a blank AdminPlace. 

On Monday, June 6, 2016 at 1:47:47 PM UTC+2, Olar Andrei wrote:

Hello,

For now my aplication (MVP) has a login page, and 2 other palces, the AdminPlace and the UserPlace.

My URL looks like this:

http://127.0.0.1:8888/AdministrareBloc.html#AdminPlace:Admin

The login form consists of username and password, where the username is passed as a token to the next Place.

A user can't connect if he does not know the password, but let's say I'm logged in like in the link above. If I change the Admin to Admin2 or whatever, I still can see the page content. I don't want this. How can I avoid this ?

Thanks in advance

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.