Applying authorization and security to RIA's

Question

I'm thinking about creating an RIA version of a traditional web application. In a traditional web app, most of the code is on the server, obviously, out of touch of the client. There I would have, at very least, conditional code to check if the current user has permissions to do something, or what form fields to display. In a RIA, all code is running in the browser. So I have, it seems, two choices.

1. If I need to display a form, grab it dynamically from the server. This works, but it makes the server do more work than just marshal back and forth JSON.
2. Bring back the account data from the server, and do all authorization code on the client. I took a quick peak at basecampmobile, and seems they are doing something like this. My question is, does hiding this information behind a closure really protect it, or is this "security by obscurity"?

Answer 1

I would do authorization on the server and the client. The client authenticate with the server and the server returns only data belonging to that client/user nothing else. Then on the client you check the authorization on specifics to update the UI accordingly.

Remember you can always jump into the dev tools and see the network traffic so we are not even talking about obscurity here...