My understanding is that - apart from the basic authentication support, e.g. against AppEngine - RequestFactory does not provide any security-related framework. You have to make sure that the service methods check for authorization. Also, make sure, the "side-effects" that RequestFactory carries, like changed Entitys, don't get persisted without an additional check. RequestFactoryServlet will findById(...) any Entities as specified by the client request, and then call set... () for any changed value, and it does that even for child entities. So either you guard all your finders and setters, or you make sure that the changes caused by calling these setters only get written to the datastore by calling a special "persist" method. However, that persist- method does not have a way of knowing exactly which child entities have been changed, and in JDO for example, simply closing the PersistenceManager or comitting the current transaction will cause all changes to be written to the datastore. So in that case, I have to inspect the transaction in order to know what exactly the RequestFactoryServlet did to my data model and whether it's safe to commit.
So I hope that GWT 2.1.1 gives us a possibility to see exactly what a Request wants to do beforehand. In the current state, I honestly doubt that RequestFactory should be used in a productive environment, as it introduces really hard-to-overlook security problems. That's a pity since it otherwise it would make for a really nice RPC-system. I think the server-part needs a lot more work, and from looking at the 2.1.1- wiki-pages it seems to get overhauled quite a bit. Maybe someone from Google can comment on how the security issues can be addressed effectively with the 2.1 RequestFactory? Regards, Tobias On Nov 9, 5:12 pm, "Max E." <eckel....@gmail.com> wrote: > Hello, > > i have troubles understanding how Security works with RequestFactory > in GWT 2.1. > I do unterstand the documentation and I do unterstand the expenses > sample. > > How can I restrict access for the client only to entities she is > allowed to access? > I found UserInformation, but how does it work? > How do my users authenticate to the server? > How can I validate that they are allowed to update or persist an > entity? > Unfortunately I did not find documentation for this topic. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
