As discussed in Chapter 10, Customizing the User Interface with JavaScript, the browser cannot be trusted. Even if we are able to completely lock down the browser, the service endpoints would still require securing against falsified XHR network requests. Therefore, it is the authorization of access to services on the server that is the foundation of security in an application.
WaveMaker uses Acegi Security, which is now Spring Security (http://static.springsource.org/spring-security/site/), for request authorization. When security is enabled, every request received by the server is subjected to a chain of filters, or checks, before it is serviced. If an unauthenticated user requests access to a restricted resource, the user is redirected to the login page for authentication. Upon successful authentication, the original request is continued. Other filters may restrict access to service operations by role. If the requesting user has been authenticated but lacks the required...