Re: false sense of security?
Re: false sense of security?
- Subject: Re: false sense of security?
- From: "Arturo Perez" <email@hidden>
- Date: Wed, 01 Sep 2004 11:39:42 -0400
William Norris wrote:
certain sections of my application (such as administrative pages) need
to be accessible by only a certain group of people. In PHP, each
page needs to check if the user is authorized. the "security through
obscurity" doesn't really work, since if the user knew the exact URL
they could go straight to the page. Now in WO, it seems as if there
is no link going to a component, then there is really no way to get to
it (aside from direct actions). So my question is this - is it
adequate security to simply not show the link for users who are not
authorized to access those sections? is there any way they could
bypass this? Do I need to recheck the user's credentials on each and
every component / page?
Thanks,
will
To a certain extent it depends on what you mean by "not show the link."
For example, using CSS and setting the visible feature to false
probably wouldn't count :-) If you use a WOConditional then the content
inside of it doesn't even exist _anywhere_ so that would be good.
One thing I've done, based on the security framework floating around is to
public void appendToResponse(...) {
if (!authorized) return;
super.appendToResponse();
}
If you do that in a ComponentContent and stick your sensitive content in
there it works great.
But, everytime I've checked, WO has not been hacked the way that PHP et
al have been (search securityfocus for webobjects, for example).
So, from my point of view, it's a smug sense of security :-)
-arturo
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.