There's a couple of security considerations, but the bottom line is that DWR takes security VERY seriously, and Joe Walker is a very knowledgable guy when it comes to security, and I personally feel better about leaving my app's security in his hands than in any other AJAX library I've seen.
Now, more specifically, DWR does some things to deal with things like cross-site scripting and script injection. I'm frankly not qualified to go into detail on those things, but I know they're there.
DWR also lets you only expose the things you want to expose, and by default exactly ZERO classes are exposed through DWR, you have to explicitly allow DWR to remote class... although, by default when you say class A can be called via DWR it allows *any* method of said class to be called, so you have to remember that. It's very easy to reverse that policy and make only those methods you want exposed be callable.
DWR also ties in with
J2EE security roles, so you can tie execution of arbitrary methods to users in given role(s). I *believe* I saw integration with Acegi also is possible, but I have no knowledge of that.
I think security with DWR is like most things, but only better: by default it's probably safer than many other things, but you *can* screw yourself without trying too hard
-- <br />Frank W. Zammetti<br />Founder and Chief Software Architect<br />Omnytex Technologies<br /><a href="http://www.omnytex.com" target="_blank" rel="nofollow">http://www.omnytex.com</a><br />AIM/Yahoo: fzammetti<br />MSN: fzammetti@hotmail.com<br />Author of "Practical Ajax Projects With Java Technology"<br /> (2006, Apress, ISBN 1-59059-695-1)<br />and "JavaScript, DOM Scripting and Ajax Projects"<br /> (2007, Apress, ISBN 1-59059-816-4)<br />Java Web Parts - <a href="http://javawebparts.sourceforge.net" target="_blank" rel="nofollow">http://javawebparts.sourceforge.net</a><br /> Supplying the wheel, so you don't have to reinvent it!