Details
Description
Whilst writing an Authentication/Authorization plugin I noticed that authorization ( GridSecurityProcessor.authorize(...) ) takes place on the client rather than on the server (new node authentication takes part on the server). This seems a little insecure as the client can easily deploy with a modified (or without the) plugin.
Just an observation...