On Mar 5, 5:57 pm, Marley <[email protected]> wrote: > > Security can only be provided by the server. > > Not sure i fully understand what you are getting at here. Yes, your > data is coming from the server, just as all data from a web > application which does anything. The client still needs to know > various things about who is logged in and what they can see.
Of course it should, because it would be inconvenient for the user, if the client presented links etc which will eventually fail, because the server denies to send or store the necessary data. But what the client does is strictly not about security - no part of a web app's security may depend on this. Client side code is arbitrarily modifiable by the user. The client part is just about the UI logic you derive from the user's roles, or from data that is associated with the user. It doesn't authenticate, and it doesn't authorize. Under no circumstance, the server sends or accepts data that isn't accessible by the user. And your UI logic is something that completely depends on your app. > > Yes, you're right, the GWT documentation (or some blog somewhere) > > could provide an example how to set things up for different scenarios > > (note that there _is_ documentation on this for AppEngine in the GWT > > tutorial! And it involves only a few steps.) > > GWT does not have to be used as part of the AppEngine. Exactly - but this is the server component provided by Google. For servers from other vendors, use their security mechanism, or any good server side framework. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
