Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    DataSource Field Security Best Practices

    We have a datasource in which some fields carry sensitive data. We would like some users (based on JAAS roles) to be able to see the data, and some not. Of course it's very easy for us to include or no include the data in our forms and lists within the javascript code. However using the server integration and the JSONFilter object, all the fields in the datasource are always passed down to the client. So simply using FireBug, Fiddler or others you can see the sensitive data.

    So my question is, what are the best practices to dynamically securing datasource fields on the backend using the existing SDK?

    #2
    Hi code08,

    We actually plan an 8.0 feature to have allow a requiresRole attribute on the DataSource as a whole, operationBindings, and individual fields that checks JAAS roles. You could make it happen sooner by sponsoring it, otherwise, you can create a custom JSONFilter or iToJSON implementation that is sensitive to the user's current JAAS roles.

    Comment


      #3
      Is requiresRole on fields still on the roadmap (or complete?). Or is there another way to do this (aside from clearing the fields in my own server code).

      Comment


        #4
        http://www.smartclient.com/smartgwte...l#requiresRole

        I guess implicit in this javadoc is that you do it by creating a different operationId that returns more fields

        Code:
             <operationBinding operationType="fetch" requiresRole="manager">
                  
         ... settings ...
              </operationBinding>
             <operationBinding operationType="fetch"
         operationId="fetchWithExtraFields">
                   ... settings ...
              </operationBinding>

        Comment

        Working...
        X