1

I am beginner in gwtp and I want to build an application that displays a list of products, and by clicking I displays the details of the selected product... My question is how to refresh the page to allow page product Detail to refresh while respecting security measures, obviously I do not want to pass the id of the product in the request. I thought about storing the id in the session but I do not know if it will impact the application's performance given the high response times of RPC.

Any help or clarification on this would be appreciated.

user405458
  • 1,107
  • 3
  • 24
  • 38
  • what exactly is your problem? Do you want to know how you can show a details page when you click on a product from the list or do you want to know how you can display the same detail page when the user refreshes its browser (by clicking F5 for example)? – Ümit Feb 15 '12 at 17:50
  • I want to how to show the same detail page when the user refreshes its browser and respecting security measures, for example a user cant display a product that dont belong. – user405458 Feb 16 '12 at 12:39

2 Answers2

0

I have some advice but be aware I'm fairly new to GWTP as well....

Security

Communication should take place over SSL/HTTPS. I put it across my entire app using the servlet container (web.xml) so that it integrates seemlessly with non-GWT parts of my app.

I don't see a problem with putting an 'id' in a url. You can always prevent it from showing in the address bar with PlaceManager.revealPlace(PlaceRequest, boolean).

Composed View

I have a view with a list of entities on the left and the edit form on the right. The list is always shown and is placed in a 'slot' explicitly by a parent presenter:

public class Users extends Presenter<Users.View, Users.Proxy> {
@ContentSlot
public static final GwtEvent.Type<RevealContentHandler<?>> LIST_SLOT = new GwtEvent.Type<RevealContentHandler<?>>();
@ContentSlot
public static final GwtEvent.Type<RevealContentHandler<?>> FORM_SLOT = new GwtEvent.Type<RevealContentHandler<?>>();
@Inject
private UserList userList;

@Inject
public Users(EventBus eventBus, View view, Proxy proxy) {
    super(eventBus, view, proxy, Configuration.SLOT);
}

@Override
protected void onReveal() {
    super.onReveal();
    setInSlot(LIST_SLOT, userList);
}
...

My app has an 'empty form' presenter which is shown by default when no list item is selected. This prevents the list and parent presenters from being a 'place' (requiring a token). Only the leaf presenters in the presenter hierarchy should be a 'place'.

Peter L
  • 2,921
  • 1
  • 29
  • 31
0

You might consider using GWT's Cookie Support. Properly implemented, you'd always know exactly what they were doing last and getting them back to there becomes easy. Cookies are obviously client-side, so it's always going to be faster than RPC.

Chris Cashwell
  • 22,308
  • 13
  • 63
  • 94
  • what about security? client can change cookies and then refresh page detail to display a product that does not belong?? – user405458 Feb 15 '12 at 09:04
  • 2
    @user405458 **Rule #1: Never trust anything you get from a client.** You should assume they *did* change the cookie. No matter what, you should be checking server-side whether or not the user has access to do what they're asking for. That rule also applies to anything the client javascript is asking for. You should assume that every user is a malicious user, validate everything and trust nothing. – Chris Cashwell Feb 15 '12 at 12:45