• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: false sense of security?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: false sense of security?

  • Subject: Re: false sense of security?
  • From: William Norris <email@hidden>
  • Date: Wed, 1 Sep 2004 10:47:06 -0500
On Wed, 01 Sep 2004 11:39:42 -0400, Arturo Perez <email@hidden> wrote:
> William Norris wrote:
> > certain sections of my application (such as administrative pages) need
> > to be accessible by only a certain group of people.   In PHP, each
> > page needs to check if the user is authorized.  the "security through
> > obscurity" doesn't really work, since if the user knew the exact URL
> > they could go straight to the page.  Now in WO, it seems as if there
> > is no link going to a component, then there is really no way to get to
> > it (aside from direct actions).  So my question is this - is it
> > adequate security to simply not show the link for users who are not
> > authorized to access those sections?  is there any way they could
> > bypass this?  Do I need to recheck the user's credentials on each and
> > every component / page?
> >
> > Thanks,
> > will
>
> To a certain extent it depends on what you mean by "not show the link."
>   For example, using CSS and setting the visible feature to false
> probably wouldn't count :-)  If you use a WOConditional then the content
> inside of it doesn't even exist _anywhere_ so that would be good.
>
> One thing I've done, based on the security framework floating around is to
>
> public void appendToResponse(...) {
>        if (!authorized) return;
>        super.appendToResponse();
> }
>
> If you do that in a ComponentContent and stick your sensitive content in
> there it works great.
>
> But, everytime I've checked, WO has not been hacked the way that PHP et
> al have been (search securityfocus for webobjects, for example).
>
> So, from my point of view, it's a smug sense of security :-)
>
> -arturo


I'm using a WOConditional to prevent the link from even being created.
 However, I'm running into another problem now...  I have a function -

boolean userInGroup(String username, String password);

that will determine if the link should be displayed for that user.
However, it appears to me that WOConditional (or any Dynamic Element
for that matter) will not allow you to bind functions that take in
parameters.  The only thing that actually works would be a series of
functions - userInAdminGroup(), userInStudentGroup(), etc... but as
far as I'm concerned, that's not even a viable option.
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.
  • Follow-Ups:
    • Re: false sense of security?
      • From: David Teran <email@hidden>
    • Re: false sense of security?
      • From: Chuck Hill <email@hidden>
    • Re: false sense of security?
      • From: "Arturo Perez" <email@hidden>
References: 
 >false sense of security? (From: William Norris <email@hidden>)
 >Re: false sense of security? (From: "Arturo Perez" <email@hidden>)

  • Prev by Date: Re: false sense of security?
  • Next by Date: Re: false sense of security?
  • Previous by thread: Re: false sense of security?
  • Next by thread: Re: false sense of security?
  • Index(es):
    • Date
    • Thread