开发者

Client side validation vulnerabilities in GWT

开发者 https://www.devze.com 2023-03-12 12:18 出处:网络
I am building a web application using GWT, and performing the validation of text boxes and other fields in client side using a simple java class.I am not sure that a user can bypass those validation d

I am building a web application using GWT, and performing the validation of text boxes and other fields in client side using a simple java class.I am not sure that a user can bypass those validation during the running of that code.Please tell me the best secure way I can do the开发者_JAVA百科 validation in forms.


Usually, you'll want to validate both on the client and on the server: On the client for immediate feedback to the user (convenience, optional), and on the server for security (must!).

In contrast to applications that use jQuery or similar on the client side, and a different language on the server side, the advantage you get with GWT is, that you may be able to reuse the same validation code for client and server validation.


Javascript in browsers can be hacked/bypassed, so there is no secure way to do this. You should not rely on javascript to perform any security related functions.

You must do security checks on server it you want your app to be secure.


Here is a short blog post on my view of Client vs Server Validation:

http://ashtoncthomas.blogspot.com/2011/03/gwt-validation-on-client-server.html

There are a few areas where you can validate and some balances such as sharing code between the client and server.

Do you validate before you create DTO's or after (if you do after then you can share some code but you can't trust the input)

I built a custom validation framework which makes it easy to bundle validation on client and server but every situation is different and so I recommend finding something that works for the majority of your projects or at least for your current one.


Proper client side validation has been promised since 2006! http://code.google.com/p/google-web-toolkit/issues/detail?id=343 I'm not holding my breath on this one.

I've moved from fragile home-baked client-side validation to round-trip validation, where you submit a persist request with the entity in an invalid state. If you've got a validator running server-side, RequestFactory will send you a Set in Receiver.onViolation().

This has meant much less code for me, at the expense of a small delay in clients receiving validation results. It's still a lot faster than pure HTML forms.

Take a look at Validating Entities in: http://code.google.com/webtoolkit/doc/latest/DevGuideRequestFactory.html

0

精彩评论

暂无评论...
验证码 换一张
取 消