3

Before I say anything else: yes, I know authorization needs to be done on the server-side. Even so, the client-side app still has to hide the GUI elements that don't apply to the logged-in user.

Having said that, here's the question: are there any role-based declarative authorization frameworks for rich browser-based JavaScript web apps?

Background: with browser-based JavaScript web apps (GWT, ExtJS, etc) there is generally no need for dynamic server-side view generation since the entire app can be downloaded as static files and all view transitions are made in the browser. Implementing role-based security therefore either requires dynamic GUI customization after the user logs in and the app loads, or dynamic generation of the app's files on the server-side after login, before anything is downloaded to the client (could be built and cached too). This SO question talks about these approaches: How to use Ext JS for role based application

Thanks!

Community
  • 1
  • 1
thvo
  • 1,532
  • 2
  • 15
  • 29
  • It sounds like you're already functioning within a specific environment, and as such wouldn't you already know which parts are authorized for which users? If not, and you plan to send all the GUI and scripting functions to the client, what's to stop users from using toolkits to compromise the security of your system? It is almost always better to only send to clients what they are authorized to use. -- That said, knowing which framework you are already invested in might help, and if you're not invested in any - then what basic technology are you vested into? – Luke Oct 08 '13 at 23:03

0 Answers0