3

I am writing a GWT application and and I need to only load certain widgets based on User Roles. For eg. there maybe admin widgets, user widgets etc.

Any thoughts how I can implement this?

One option is that I can check the role in the code and hide them. But since this code gets Executed at the client side I think this is a security risk.

Pushkar
  • 7,450
  • 10
  • 38
  • 57

2 Answers2

3

You should manage the roles on server side:

  1. Pass the role somehow to your Root widget.

    • RPC call to server during onModuleLoad to ask the Role

    • Or simply pass it from JSP to JS and use native get from the Widget.

  2. Build required panel

Yes, you still have some risk, since all your js code in on the client, and it can modify the flow using JS debug. To prevent this you need to filter all calls to server side from Admin widgets and make them failing without successful result for example. So, admin widget can do nothing, because all calls to Server will fail.

If it still not safe enough for you - then you can use separate GWT Entry Points. In this case you will forward clients to separate pages with separate JS code.

udalmik
  • 7,838
  • 26
  • 40
  • Interesting. I guess this is the place Vaadin would be more helpful since server side code can be written. But unfortunately I am already tied to GWT. :( – Pushkar Nov 16 '12 at 08:42
  • What do you mean? You can use plain Java Servlet Filters on server side to check requests to RPC/REST/etc. – udalmik Nov 16 '12 at 08:47
  • Yes but the whole logic and code exists on the client. A smart(or determined) JS guy can potentially see the admin components using JS debug. In Vaadin all I would have to do is, Check if user has access and if he does then render that widget. The client would not even receive the admin widget code. Whereas in GWT the admin code it always there, but just hidden. – Pushkar Nov 16 '12 at 08:58
  • Got it, I have added description about case with totally separated JS code. – udalmik Nov 16 '12 at 09:11
  • You must put security logic on the server. "Security logic" on the client is just UI logic. – Riley Lark Nov 16 '12 at 15:16
1

I have the same issue. I found this (not used it yet, but I think this may be the solution): acris

AmirMV
  • 215
  • 1
  • 11