I came across this online document, and from there there is slide about GWT Offline authentication:
When online, authentication is done by the server.
- We should then be able to re-authenticate him/her without the server. Be careful ! Local storage completely unsecure !
We thus store the user’s password in the browser, salted and crypted with SHA-3.
Find a Java SHA-3 implementation, copy-paste in the project :
String shaEncoded = SHA3.digest( String clearString );
Offline HTML5 apps with GWT 18
The questions are:
- Is it really possible to securely authenticate a GWT application with this approach? If it's SHA-3 encoded would it really make it secure?
- When user gets authentiated in the browser, then user uses the offline app, say save stuff, then surely it is just stored in the HTML5 Storage, however with the User info embedded perhaps in anything saved. Thus, when app gets back online, it will sync to the server. How is this secure? Would the server just accept that the thing it is syncing really is from the right user?