I would say that all you need to do is to use runAsync() to saparate Adm features from regular features and then make sure that on server side you check for each operation, if the user has the good credential to execute it.
That is all. Zé Vicente On Aug 19, 4:34 pm, Phineas Gage <phineas...@gmail.com> wrote: > On Aug 19, 4:02 pm, mars1412 <martin.trum...@24act.at> wrote: > > > just my 2 cents: > > > hiding or obfuscating will not stop a detrmined attacker anyway, > > so there's no reason to worry about that. > > that does of course not mean, that you shouldn't do it, if it's > > easy: e.g. of course use the OFB mode when compiling the GWT app > > > just make sure, that all service methods are properly secured on the > > serverside > > Yes, hiding or obfuscating doesn't help much. I was hoping for a > secure way for users to never even be able to download administrative > client code at all, without making it a separate GWT application. Even > with runAsync(), users might be able to still retrieve the admin code > unless it's protected on a file level on the server, but you have to > determine which files to protect and preferably make it a seamless > experience for the user so they don't have to provide separate web > server credentials to download the admin client code. > > > > 2) Some users will download code that they will not necessarily > > > execute, making the application needlessly larger. > > > RunAsync should help > > * if the user doesn't have the required permission to e.g. open an > > admin view, then hide the button or menu-element - the user will > > not see it and it will not get downloaded > > * if an admin is logged, in you'll of course show the button/ > > menuelement > > and if she clicks the button, RunAsync will kick in and the relevant > > code > > will be downloaded > > Good point for reducing size. That will be useful, when GWT 2.0 comes > out, as it should be in there. Until then you have to compile on the > trunk to use it, I think. > > Thanks for the response. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
