Hi,
I am in the process of evaluating smartgwt ee and everything is working as expected so far... I do though have some questions regarding security:
1. If I am loading the datasources from xml, looking on the client-server communication I can see in clear my model structure sent to the client (I am using hibernate-JPA mapping). That means anyone at client side can see exactly how is my db/model structured. Is there any way to avoid this/make it not so straightforward?
2. I am trying to make a field not available at client - I have a USER model which contains also a password field which should not be visible at client side. I am using the canView="false" in datasource, and by using directly the datasource it seems to work. However, using a JPA aproach, the user is included using a ManyToOne relationship in another model. And in this case all the properties from USER are send to the client, including the password - when using the datasource of the model which include the user. (All datasources derive from JPA). Is there any solution to avoid sending the unwanted field to the client? Should there be in the datasource xml specified for each model which fields should be included using the foreignkey attribute?
Thanks in advance,
Stefan
I am in the process of evaluating smartgwt ee and everything is working as expected so far... I do though have some questions regarding security:
1. If I am loading the datasources from xml, looking on the client-server communication I can see in clear my model structure sent to the client (I am using hibernate-JPA mapping). That means anyone at client side can see exactly how is my db/model structured. Is there any way to avoid this/make it not so straightforward?
2. I am trying to make a field not available at client - I have a USER model which contains also a password field which should not be visible at client side. I am using the canView="false" in datasource, and by using directly the datasource it seems to work. However, using a JPA aproach, the user is included using a ManyToOne relationship in another model. And in this case all the properties from USER are send to the client, including the password - when using the datasource of the model which include the user. (All datasources derive from JPA). Is there any solution to avoid sending the unwanted field to the client? Should there be in the datasource xml specified for each model which fields should be included using the foreignkey attribute?
Thanks in advance,
Stefan
Comment