Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
menu item security question
Say I do
which disables it client side.
What if a hacker triggers it, sends a valid request or whatever, is it also "disabled" on the server side, meaning it won't enter its registered command and execute the logic?
Or do I have to check like:
before executing the logic in the registered command for that menuItem?
Vaadin will take care of handling this kind of state for you until noted on in the book (and I think to remember that only modal windows can be bypassed and need some extra care)
There's no indication on server-side for me that the "enabled" boolean is used server-side
However, for someone to send a successful request, they need to know:
1. probably the code in this POST content:
and I hope that isn't built client side, because it would be a security flaw
2. and the sessionid
To guess the combination of these two is almost impossbile with today's infrastructure.
It would have to be a man in the middle attack, in which case it isn't about the enabled/disabled thing anymore
Tudor Raneti: There's no indication on server-side for me that the "enabled" boolean is used server-side
I believe MenuBar.changeVariables() is where it is checked before changing the state of an item or executing its command.
You're right, was careless with following the variable around.
Not a total loss. I discovered Poster firefox addon while playing around, pretty useful at showing someone can hitch a ride on your session if they find out its id