Generic security context server or client

Mon Feb 03, 2014 3:31 pm

I understand that I can create my own security context with Appery (http://docs.appery.io/documentation/g...) . However I am a little confuse whether the security context is server side or client side. If it is client side then I think it is not very secure as it can be tempered with. I hope that it is serve side.

The reason why I think it is client side is because in the example it shows the following code:

".....localStorage.acces_token;"

I could be wrong but does this mean that the security context is client side? Otherwise how would this JS ever work?

Please confirm.

Alon

Mon Feb 03, 2014 4:10 pm

Hello! Yes, you're right. Generic Security Context is a wrapper for service invocation, it's client. If you're interested in storing on server and sending some data while service invocation use proxy http://docs.appery.io/documentation/s...

Mon Feb 03, 2014 4:25 pm

Thanks Maryna. Unfortunately I dont see how a Proxy can let me call my own JS code.

What I am trying to achieve is implement my own authentication process for any REST service. The security context would be perfect for this except it is not secure since it is client side and can easily be circumvented.

Mon Feb 03, 2014 5:36 pm

If you do something with JS - it's a client side and there is no way to "hide" it. Try to use server code. Invoke server code, do necessary data conversion and invoke service from server code.
http://docs.appery.io/documentation/b...