• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
RE: false sense of security?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: false sense of security?

  • Subject: RE: false sense of security?
  • From: <email@hidden>
  • Date: Thu, 2 Sep 2004 10:03:59 +0200
  • Thread-topic: false sense of security?
Hi!

Actually there is a way to access components by name. Adding the following to your appliaction class should help prevent this. A cleverly crafted HTTP request might be able to work around this.

	/** This should lock out attempts to access components directly by their name.
	  * I.e. by typing something like http://host:port/cgi-bin/WebObjects/Application.woa/wo/Component.wo
	**/
	public WOComponent pageWithName(String pageName, WOContext context)
	{
		if ((context.senderID() == null) && (! directActionRequestHandlerKey().equals(context.request().requestHandlerKey())))
			return super.pageWithName(null, context);
		else
			return super.pageWithName(pageName, context);
	}

Pierre


-----Original Message-----
From: email@hidden
[mailto:email@hidden]On Behalf Of William Norris
Sent: Wednesday, September 01, 2004 5:09 PM
To: WebObjects (Group)
Subject: false sense of security?


certain sections of my application (such as administrative pages) need
to be accessible by only a certain group of people.   In PHP, each
page needs to check if the user is authorized.  the "security through
obscurity" doesn't really work, since if the user knew the exact URL
they could go straight to the page.  Now in WO, it seems as if there
is no link going to a component, then there is really no way to get to
it (aside from direct actions).  So my question is this - is it
adequate security to simply not show the link for users who are not
authorized to access those sections?  is there any way they could
bypass this?  Do I need to recheck the user's credentials on each and
every component / page?

Thanks,
will
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.



**********************************************************************
This email and any files transmitted with it are intended solely for
the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender
of this message. (email@hidden)
This email message has been checked for the presence of computer
viruses; however this protection does not ensure this message is
virus free.
Banque centrale du Luxembourg; Tel ++352-4774-1; http://www.bcl.lu
**********************************************************************
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.
  • Prev by Date: Re: NSTimestampFormatter problem (SOLVED)
  • Next by Date: RE: problem with selectedObject of EOFormController in Java Client
  • Previous by thread: Re: false sense of security?
  • Next by thread: NSTimestampFormatter problem
  • Index(es):
    • Date
    • Thread