Hey everyone, and thanks again for the help.
You have all given me lots of advice on security, which is something I
don't have much experience on, so it's greatly appreciated. I am securing
my server-side calls at the moment, and decided that as there will be only
one or two admin users, it was
Agreed, server side access checks must always be there.
public String getAuditLogDetail(int id) throws MyException {
HttpSession sess = getThreadLocalRequest().getSession();
validSession(sess);
if (hasAdminAccess(sess)) {
LocalDbWrapper ldb;
try {
ldb =
If the difference between the download size of your UI for admins
versus regular users is large than you may want to consider splitting
the UI as suggested elsewhere in this thread. You will have to decide
if this is worth the effort in your case. My understanding of the
client side of GAE applic
http://code.google.com/p/google-web-toolkit/wiki/CodeSplitting
have a look at code splitting for not downloading something the user does
not need!
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To view this discussion on the web visit
what you are about to implement is something bigger than a simplified logic
of admin/not-admin user, but rather privileged/unprivileged. Therefore in
many cases like using CAPTCHA (robot defense), that's a matter of your
taste as a web-designer to call the server for serialized UI elements, or
Hi guys, and thanks for the answers.
So it seems the answers you have given are two-fold. I hadn't really got to
thinking about securing the server yet as I am just building a prototype
and still learning as I go. However, now seems as good a time as any to
secure the RPC calls. Would something
Hi Drew
Secure your server/servlets first and UI second. Make sure all
incoming calls to the server tier deny unauthorized users access to
execute administrative operations. When you do this you don't have to
worry if the user attempts an admin activity in the UI because they
will be denied in t
since admin privileges are run-time features, deferred binding can't help
you in this case, unless you duplicate your project adding some extended
admin-only functionalities to redirect admin to, and this solution would be
just as bad, as if you implement security facility in an abstraction of G
Hey coders,
I'm building an app at the moment that will have regular users and
administrators. The part I am building atm is an intranet-like section that
allows the admins to upload files to the blobstore (also using app engine),
so that users can download them.
I have been using MVP with uib