> [snip]
>
> The article doesn't seem to directly address Nickelnext concern about
> having the admin content already in the browser though. I mean, once
> you compile the UI into javascript and the browser downloads it,
> everything that the view does is there in the browser. It seems
> pretty far out there that someone could use that obfuscated javascript
> mischievously but that's what hacking is all about, so i hear!
>
Are you forgetting that we're talking about a GWT application here?
The admin content does NOT have to be downloaded with the rest of the
application. Let me explain my point:
Use case 1: a secure part of the application needs to be accessed
-------------------------------------------------------------------
1. anyone comes in, the entry point (server side) is invoked from the
app main page (index.html, whatever). (BTW: I haven't entirely looked
at the mechanism behind this, but I suggest that this is probably a
normal RPC or request being made of some sort by the initialization
process.)
2. browsing occurs normally until you reach an admin section, which
has not yet been loaded, but a login box as explained earlier.
3. user submits credential along with other identifying information as
needed (session cookie, whatever)
4. response comes back positive or negative (with other information,
like changed session id, whatever) as discussed
5. request is being made through a second RPC call at this point and
return some widget through the wire, replace the login by that widget
(add a new tab in your pane, whatever). Et voilà!
Options:
--------------
0.1. At any time, if the user wants to logoff (the logoff widget
should be displayed somewhere and always visible when the user is
logged in, perhaps a simple link/anchor with a click handler)
0.1.1. make an RPC request to the server and destroy the session data,
if any (clean session), no need to return anything
0.1.2. reload the entire application, or remove the admin widgets and
replace them with the original logon widget. End of scenario.
2.1. the user has already been identified, so the admin content
appears instead of the login box. End scenario
4.1. response comes back negative, display a pretty message of a
failed authentification attempt. Perhaps the server should return that
message, in case of anti-flooding or anti-DOS attack protection (I'm
thinking about a request cooldown time after n attempt, but I may be
going too far for this thread). End scenario.
Unless I'm mistaken, this is where I'm leading towards in my apps.
(I'm actually interested to know if I should change something in this
use case?)