One way is to use a dynamic host page instead of static HTML:
http://code.google.com/webtoolkit/articles/dynamic_host_page.html
You can also use a non-GWT auth mechanism like a servlet filter and redirect
to the GWT app after successful authentication.
But fundamentally, you shouldn't ever trust the client, so you should write
your GWT app so as not to expose secrets in the JS code at all.
On Mon, Mar 21, 2011 at 11:37 AM, Nuno Teodoro
nuno.filipe.teod...@gmail.com wrote:
Hi all, I've seen this a problem (or best practice) that should be
addressed which relates with OWASP's GWT presentation where they sate
that:
Are the {HEX}.cache.html files accessible by unauthenticated users?
Is the login functionality implemented using GWT RPC?
If yes, the {HEX}.cache.html file will be leaking out information to
unauthenticated users!
How one should prevent the {HEX}.cache.html to be accessible by
unauthenticated users?
Best regards
--
You received this message because you are subscribed to the Google Groups
Google Web Toolkit group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
--
David Chandler
Developer Programs Engineer, Google Web Toolkit
w: http://code.google.com/
b: http://googlewebtoolkit.blogspot.com/
t: @googledevtools
--
You received this message because you are subscribed to the Google Groups
Google Web Toolkit group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
