Re: WO Ajax
Re: WO Ajax
- Subject: Re: WO Ajax
- From: Jean-François Veillette <email@hidden>
- Date: Tue, 25 Apr 2006 10:25:31 -0400
I just tried around a bit and it looks like the first-level object is
a set of remote functions and the results of those functions are
indeed hashmaps. But still I would think you could write an exploit if
you managed to create the remote JS that creates the functions JS and
subsequently call it.
It is a good concern. We should probably put a warning in this
component documentation, that proxy object are something that a hacker
could use and that user (developer) should be careful in which object
they register as proxy.
I would still guess that It could be difficult to hack, since from
javascript, you would need to force the registration of a foreigh
object. At that point I don't know how easy that could be.
It's not like it's using key-value-coding (which would be a wide open
door), it's only opening method for specified registered objects.
But if you make it easy on the java side ... well ... it's all
available for hacker.
Call me paranoid if you wish, I'd still think it's safer to simply
create an object on the page that only has those methods it needs (add
and addMore in this case).
That would be the safer way to use the proxy component ... just
because no one whish to be the first one hacked.
- jfv
Cheers, Anjo
Am 25.04.2006 um 15:01 schrieb Anjo Krank:
You're right. Trying this yields:
TypeError - Value undefined (result of expression
jason.wopage.application().terminate) is not object.
Cheers, Anjo
Am 25.04.2006 um 14:33 schrieb Jean-François Veillette:
Le 06-04-25, à 00:47, Anjo Krank a écrit :
You need to get a servlet.jar and add it to your
/Library/WebObjects/Extensions.
And you should be careful with that component. I haven't yet tested
it, but it seems to me that if you bind up your page as the proxy
object, you could call sth like page.application().terminate()...
I didn't try, but from reading the code, my understanding is that
you only get 1 level interface from the proxy object. So if the
page is your proxy, the rpc will make public only the method
availlable from that page object. So yes you can call
page.application(), but the rpc will receive an application object
which is a big 'undefined' in javascript. You then won't be able to
call 'terminate()' on it since this will be evaluated in javascript
(a no opp).
There is a way to return another proxy object, this is an 'advanced'
feature of json-rpc (foreign reference or something like that), but
this is not yet investigated for wo integration.
- jfv
Cheers, Anjo
Am 25.04.2006 um 05:25 schrieb David Holt:
Hi Mike,
Thanks for all your hard work. The sortable list is something that
I have been in desperate need of for my application, and to see it
implemented is just too cool. The drag and drop shows promise for
inclusion soon too...
The RPC link still doesn't work, at least on my system. I am using
build 67 and received the following error for the first hyperlink
(the rest work perfectly):
Exception in thread "WorkerThread9"
com.webobjects.foundation.NSForwardException for
java.lang.NoClassDefFoundError:
javax.servlet.http.HttpServletRequest
at
com.metaparadigm.jsonrpc.JSONRPCBridge.class$(JSONRPCBridge.java:
75)
at
com.metaparadigm.jsonrpc.JSONRPCBridge.<clinit>(JSONRPCBridge.java:
131)
at er.ajax.AjaxProxy.handleRequest(AjaxProxy.java:231)
at
er.ajax.AjaxComponent.invokeAction(AjaxComponent.java:155)
at
com.webobjects.appserver._private.WOComponentReference.invokeAction
(WOComponentReference.java:104)
at
com.webobjects.appserver._private.WODynamicGroup.invokeChildrenActi
on(WODynamicGroup.java:101)
at
com.webobjects.appserver._private.WODynamicGroup.invokeAction(WODyn
amicGroup.java:110)
at
com.webobjects.appserver.WOComponent.invokeAction(WOComponent.java:
945)
at
com.webobjects.appserver.WOSession.invokeAction(WOSession.java:
1168)
at
com.webobjects.appserver.WOApplication.invokeAction(WOApplication.j
ava:1375)
at
com.webobjects.appserver._private.WOComponentRequestHandler._dispat
chWithPreparedPage(WOComponentRequestHandler.java:196)
at
com.webobjects.appserver._private.WOComponentRequestHandler._dispat
chWithPreparedSession(WOComponentRequestHandler.java:287)
at
com.webobjects.appserver._private.WOComponentRequestHandler._dispat
chWithPreparedApplication(WOComponentRequestHandler.java:322)
at
com.webobjects.appserver._private.WOComponentRequestHandler._handle
Request(WOComponentRequestHandler.java:358)
at
com.webobjects.appserver._private.WOComponentRequestHandler.handleR
equest(WOComponentRequestHandler.java:432)
at
com.webobjects.appserver.WOApplication.dispatchRequest(WOApplicatio
n.java:1306)
at
com.webobjects.appserver._private.WOWorkerThread.runOnce(WOWorkerTh
read.java:173)
at
com.webobjects.appserver._private.WOWorkerThread.run(WOWorkerThread
.java:254)
at java.lang.Thread.run(Thread.java:613)
On 24-Apr-06, at 7:45 PM, Mike Schrag wrote:
OK, the build script is fixed up ... Wonder build 67 includes
AjaxExample.woa in the Wonder-2.0.0.67-Examples.tar.gz (rather
than the Applications tar). You need Ajax.framework and
ERJars.framework in your /Library/Frameworks folder to run it,
and those are in the Frameworks tar. Third time's a charm :)
ms
On Apr 24, 2006, at 10:23 PM, Mike Schrag wrote:
I only run it in Eclipse, so I didn't notice that it didn't have
the real framework dependencies setup, only the eclipse project
dependencies (which also explains why i couldn't get the build
script working properly most likely). I replaced that
AjaxExamples tar with the PROPER one (really only differs in
that the classpath files are updated). Your process was
correct.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden