I have an POJO in Google Web Toolkit like this that I can retrieve from the server.
class Person implements Serializable {
String name;
Date creationDate;
}
When the client makes changes, I save it back to the server using the GWT RemoteServiceServlet like this:
rpcService.saveObject(myPerson,...)
The problem is that the user shouldn't be able to change the creationDate
. Since the RPC method is really just a HTTP POST to the server, it would be possible to modify the creationDate
by changing the POST request.
A simple solution would be to create a series of RPC functions like changeName(String newName)
, etc., but with a class with many fields would require many methods for each field, and would be inefficient to change many fields at once.
I like the simplicity of having a single POJO that I can use on both the server and GWT client, but need a way to do it securely. Any ideas?
EDIT
I'm resubmitting with a bounty to try and see if there are any other ideas. Perhaps my original question focused too much on the specifics of GWT. Really I think this is a generic question for any system that uses JavaBeans to pass data between a secure (servlet container) and insecure (web browser) environment.
EDIT 2
Also, to be clear, I used the field creationDate
as an example of the problem. In reality the code I'm working with is more complicated with many different fields.
I recommend you to keep your single RPC method, and use a POJO/bean mapper like Dozer or Gilead.
The side-benefit is that you don't need to change your data access layer (supposing you have one). Doesn't matter if you use a ORM or not, with a relational database or not.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With