On Wed, Oct 28, 2009 at 10:34 AM, gwtfanb0y <siegfried.b...@googlemail.com>wrote:
> > I would say that every Web Application which has its security only > inside the Frontend (Browser) is per default insecure. > If an evil person is smart, he can manipulate the JavaScript and make > invisible forms visible, submit not verified data > and can change the current userid & password when stored inside the > client. > If the javascript comes from my site, then we're evil. I just want to be sure if the user frames our site or anything unexpected that javascript loaded from other sites can't see the javascript/objects that we loaded. If the user can see my userid and password, then all is lost because no login form would be secure as they all accept a userid and password. I suspect it's not possible for javascript loaded from another site, evil or not, to access the userid/password in the page/javascript data from my system. At least I hope so! > > To prevent this you have to include business-security, i am using > spring security and have collected very good > experience with it. Inside the business-site, think that every > incoming request could be manipulated, so you have > to add strong verification processes. With spring security you can > manage roles and permissions inside the > SecurityContext (located on the server) which is much more secure than > implementing RPC with username & password > as values. > Well, there is always server-side security. But if you just trust session-level security that uses cookies to id the session, then there's the known XSRF attack if the person moves to an evil site without logging off (which is frequent enough in my experience) or otherwise ending the server side session. They can't steal the data, but they can send in a request that itself my then cause trouble for you. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---