Reputation: 1895
Security and GWT - client side
Maybe this is a stupid question but javascript is a weird thing. I secured my gwt app with spring security and want to use the security roles on the client side. Is this safe or can they be manipulated so that ordinary users suddenly have access to the managers parts.
Upvotes: 1
Views: 463
Answers (2)
Reputation: 2562
You should include security on both sides. Just remember that security should never be "enforced" client side, but the UI should reflect the user's roles(i.e. you don't want to display an admin link for a user that isn't an admin). You should enforce security at the service layer. If you were to enforce security client side it doesn't prevent a user from constructing a webservice call manually, but if the security is enforced at the service layer the request would be denied.
Upvotes: 2
Reputation: 13519
Never trust the client side! So every call to the server for data should check if the user has access to that data, both querying and storing/deleting data.
Upvotes: 7