Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Datasource structure at client

    Hi,

    I am in the process of evaluating smartgwt ee and everything is working as expected so far... I do though have some questions regarding security:

    1. If I am loading the datasources from xml, looking on the client-server communication I can see in clear my model structure sent to the client (I am using hibernate-JPA mapping). That means anyone at client side can see exactly how is my db/model structured. Is there any way to avoid this/make it not so straightforward?

    2. I am trying to make a field not available at client - I have a USER model which contains also a password field which should not be visible at client side. I am using the canView="false" in datasource, and by using directly the datasource it seems to work. However, using a JPA aproach, the user is included using a ManyToOne relationship in another model. And in this case all the properties from USER are send to the client, including the password - when using the datasource of the model which include the user. (All datasources derive from JPA). Is there any solution to avoid sending the unwanted field to the client? Should there be in the datasource xml specified for each model which fields should be included using the foreignkey attribute?

    Thanks in advance,
    Stefan

    #2
    1. the model structure is visible in any technology the moment you show a grid or form to the user (which is a direct reflection of the model structure). So it does not make sense to try to hide such information. Sensitive information such as Java classnames or SQL templates is automatically omitted.

    2. if you are using autoDeriveSchema and there are fields you do not want sent, you should declare those fields with canView="false" (see also DataSourceField.ignore).

    Simply having a relation to another bean does not cause information about that bean's fields to be sent to the client. You would have to declare a DataSource for the related bean for this to happen.

    Comment


      #3
      Thanks for the quick reply.

      I might want to contradict you on the last afirmation:
      It DOES send information about the related bean even without a datasource. And more, in case of defining the datasource it just ignores the properties set on fields (like canView="false").

      I declared a datasource with autoderive=true from a bean which contains a manytoone relation to another bean:

      @ManyToOne
      @JoinColumn(name = "USER_ID", nullable=false)
      private User referringUser;

      And this is the only datasource I have in my application. Building a grid which has the defined datasource will send to the client the complete information for each entry, including the related user instance/properties.

      The only workaround I see is to avoid using relation to another beans in JPA in order to be able to hide some fields.

      Thanks again
      Stefan

      Comment


        #4
        Oh, you're saying it sends actual *data* of related beans, not the *schema* of a related bean (eg a DataSource for it).

        This is the default behavior for relations that you declare in JPA as having eager fetching. Read the JPA/Hibernate Relations overview for all the different options the framework supports for delivering data for relations.

        Comment

        Working...
        X