Security is always important, and the DWR project has thought about security very thoroughly. The DWR framework has taken into account many security issues, and there is lots of discussion about security on the DWR website, enough to fill several books about the subject.

Among the people for whom security is important are developers like you and me. Software does only what we instruct it to do, so we must be conscious about security during development and do our best to limit the possibilities to exploit our work.

While using DWR, we manually specify in the dwr.xml configuration (unless we have created some automatic code-generation software that does it for us) which Java classes and methods we want to remote to JavaScript. This way we can be sure that no attacker can exploit any other objects than our explicitly remoted Java objects (and we can concentrate to make those objects as secure as possible).

The configuration in dwr.xml also includes a create entry for each remoted Java...