ongwt.com

Lee Thé :

In this talk, Hoffman demonstrated advanced attacks against AJAX applications, including manipulating client-side logic, defeating logic protection techniques, function hijacking (client-side code being changed), JavaScript Object Notation (JSON) hijacking and denial of service attacks. He discussed the susceptibility of GWT applications to these kinds of attacks and compared GWT security features to other AJAX frameworks, such as Prototype and Dojo. He ended by talking about hacking Google Gears, an open source browser extension that lets developers create Web applications that can run offline.

Complete article (a must read) : Advanced AJAX Security

Slides : Advanced Ajax Security

no comment

reinierz

This article describes how to do the following:

    * Create a 'login' page that is based on user/password authentication.
    * Store this data in a secure fashion on your server.
    * Allow users to 'remain logged in' for as long as you want so they don't have to enter their user name and password every time.
    * Make 'auto-complete' features of most modern browsers work with your GWT's login page.
    * Discussion on adding more security with either HTTPS or fancy hashing algorithm.

Login Security

no comment

Dan Morrill just published a very good article about Security and GWT Applications. The first part of the article describes the major classes of attacks against JavaScript that are applicable to any AJAX framework. The second portion describes how to secure your GWT applications against them. A must read !
Security for GWT Applications
Source : Google Web Toolkit Blog

no comment