Java Client Security
Java Client Security
- Subject: Java Client Security
- From: Ian Joyner <email@hidden>
- Date: Thu, 27 Oct 2005 16:49:31 +1000
I've been researching this topic for a few days, since I realized
that the scheme outlined in Chapter 25 of WO JCDA on building a login
window was dependent on the fact that your client application used a
login window before you could access the server. But what if some
hacker built a client application that was not so nice and that
started accessing the server side with no checking. Depending on a
client app for security is definitely not a good idea.
It seemed this question was asked in:
http://lists.apple.com/archives/webobjects-dev/2005/Mar/msg00177.html
but there seemed to be no satisfactory answer apart from stability of
WO was very good, and maybe he should use AJAX, but the answers did
not address security.
Specifically, I wanted to do a check in the server-side
EOEnterpriseObjects whether a logged in user was allowed to do the
CRED (create, read, edit, delete aka CRUD but I think CRED sounds
more credible) operations on the current object, but there seemed to
be no way to get from an object to the current session (unlike
WOComponents) and the stored user record for the current user.
Anyway, I think I have found the answer in Chapter 6, p 140 on
delegates, that the session object is a delegate of
EODistributionContext and these delegate methods are called to check
security before operations are allowed on the server side. These
return false if the user is not logged in, which can be in a parent
class of session and then in a subclass provide more fine-grained
access control for checking CRED operations.
Has anyone else implemented such a JC security scheme? Does this
sound like the right way to go?
Thanks
Ian Joyner
Sportstec
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden