0

I am writing a simple web page, which shows some widgets based on user permission. If user has EDIT permission, the page renders EDIT widget else EDIT widget doesn't shows up.

What is the best way to achieve this?

I, first called a service to get logged in user's permission and then set visibility: none or block based on the permission. But, I see that user can "inspect element" on browser and set visibility accordingly. However, on server-side, I am using @PreAuthorize annotation on DAO to control the user actions.

How to control visibility of UI widgets without user being able to make changes, maybe from server side?

Update : I am looking for JSTL equivalent in GWT

Forkmohit
  • 733
  • 3
  • 12
  • 31
  • Apply security on the methods, say you have a widget which enables the user to edit, now it hits a method on the server side, place a security there. When the request from edit comes to server, check if the user has the permission to edit, if not display a message you don't have the required permission. – underdog Sep 23 '15 at 05:09
  • If you have jsp on the UI, you can also check for permissions on the jsp by using EL. Show widget UI code – underdog Sep 23 '15 at 05:10
  • @underdog I told, I am using method level security on server side with '@PreAuthorize' annotation – Forkmohit Sep 23 '15 at 05:19
  • then use the jstl tags and prevent the widgets from loading onto the page, if the user doesn't has permission to access them. In stackoverflow if you upvote your own answer it lets you do so, but then the very moment it displays a message you don't have permission as it checks on the server for the user permission. – underdog Sep 23 '15 at 05:24
  • @underdog sorry, I forgot to mention that GWT is on UI side. So basically I am lookin 4 GWT equivalent of jstl – Forkmohit Sep 23 '15 at 05:37

3 Answers3

2

AFAIK there is no JSTL equivalent for GWT.
However there are some 3rd party (i.e. ArcIS) libraries that make display/hiding UI elements based on user permissions more convenient.

However no matter whether you do it manually or using a library you should make sure that you properly secure your backend side (as far as I can tell you are doing that by using method level security).

One important thing to remember when dealing with client side permissions/security:
You should never trust input/actions from the client/browser, because you are not in control of it. So you must always do security on the backend

In my opinion, it really does not matter if the user could theoratically inspect the edit button for example using Browser Dev Tools and make it visible, as long as the the edit action on the backend is properly secured. If you are really that concerned you can remove the elements (i.e edit button) from the DOM instead of hiding it, but it won't make it more secure.

Ümit
  • 17,379
  • 7
  • 55
  • 74
0

I, first called a service to get logged in user's permission and then set visibility: none or block based on the permission.

Well instead of setting the visibility none or block, assuming you are using JSP, use JSTL tag 

<c:if test="${if the user has permission}">Show widget UI code</c:if>

If the page has n widgets for which the user doesn't has permission, why would you load the code for all the n widgets. It's non performant.

underdog
  • 4,447
  • 9
  • 44
  • 89
  • aware of GWT equivalent of this? – Forkmohit Sep 23 '15 at 05:39
  • these may help http://stackoverflow.com/questions/2364129/how-to-use-jstl-in-a-gwt-project http://stackoverflow.com/questions/7062024/gwt-jstl-in-development-mode-is-it-possible – underdog Sep 23 '15 at 05:41
0
  • write a panel that shows it's contents based on security settings in the client code
  • add the widgets to be controlled inside the security panel
  • the panel will now control the appearance of the children based on security in your client code

As has been mentioned before, and has been recognized by you, client security is only visibility control and thus not sufficient to protect the app.

thst
  • 4,592
  • 1
  • 26
  • 40