The only thing we do is some cross-site scripting prevention and hiding user interface components if a user does not have the permission for that component. So for example we only show the menu items a user in a given role can access. Other menu items wont be added to the menu widget. This is done in our presenters. Each time a presenter gets active it asks the server for the permissions the current user have.
But you can never trust the client and we have to make sure that a user with a given role will get an exception if he asks the server for information he has no permission for because an attacker can ask for such information even if he does not have the corresponding menu item in the client UI. So each time we got a server request, the server retrieves the user account with its assigned roles and permissions and checks them against a set of server-side defined permissions that are required to do the request. If they don't match we throw an exception. On 30 Okt., 10:35, zixzigma <zixzi...@gmail.com> wrote: > Hello everyone, > > I have some questions regarding implementing security in GWT. > > It's a typical use case: > let's say in your app, users can have different roles, > and you want to show only the relevant part of the UI, based on their > role. > > and I am talking about more than 3 roles. > eg:(Customer, BranchManager, Teller, CEO, System Admin) > (after all GWT is for larger apps, right ? ) > > on the back-end, i am planning to use Spring, and i'm going to use > Spring Security, > for authentication, fine-grained authorization, (method level, ACL), > it is a very mature framework and annotation based. > > however, when it comes to the front-end UI, I don't know what is the > recommended practice to incorporate role-based security in MVP. (i > don't want the security checks get scattered across all methods on the > client, bloated code, if statements everywhere, security is a cross- > cutting concern, right? should i put it in the Activity/Presenter ?) > > I see GWT 2.1 release addresses security concerns, for cross-site > scripting, and introducing SafeHtml. > but nothing related to authorization. > > I would appreciate your insights and any feedback from google team, > perhaps a tutorial addressing this aspect of application security is > really needed ! > > is it possible for GWT team to introduce annotation-based support for > addressing security ? > does it make sense at all, or i'm missing something. > > what have been your experiences in implementing security in GWT ? > > Thank You -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
