• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [philosophical question] Direct component access: does it have any use at all?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [philosophical question] Direct component access: does it have any use at all?

  • Subject: Re: [philosophical question] Direct component access: does it have any use at all?
  • From: Chuck Hill <email@hidden>
  • Date: Sun, 4 Nov 2007 11:51:10 -0800

On Nov 4, 2007, at 8:55 AM, Miguel Arroz wrote:

Hi!

I was checking out the "Preventing Direct Component Access" section in page 137 of Practical WO book. *

This is an easy issue to avoid, as long as you know that you have to do it.

My question is: as most people don't, shouldn't this feature be disabled by default? This is a huge security hole. Of course all my pages are protected with a "IsAuthenticated" wrapper, but I can't do the same to all my little subcomponents, due to keeping my sanity. And obviously I have no ideia how will every subcomponent react to this kind of access, specifically if they will reveal info they they shouldn't or just throw an exception.

So, I don't see any use at all for this "feature", as we have Direct Actions to do this decently. The only good use for this is to get iTunes musics and Mac Pros for free! ;) Kidding, but seriously, this COULD be a huge security breach on many apps out there.

Should it be disabled in future versions of WO by default? I vote for "Yes, ASAP!".

I can't think of any reason to have this / any valid use for this not better done with a direct action. I agree this should be at least disabled if not entirely removed. I'd guess that this got added as part of features that never made it into the product or that have been removed long, long ago.

Do you want to file a bug on this?

Chuck

* For those of you who don't have Chuck's and Sacha's book (go buy it NOW) the problem is that in ANY WO app you can type in the URL bar: http://server.com/WebObjects/MyApp.woa/wo/ aComponentName.wo and you instantly load that component on the browser. Yes, really.

  Yours

Miguel Arroz

Miguel Arroz
http://www.terminalapp.net
http://www.ipragma.com


--

Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems.
http://www.global-village.net/products/practical_webobjects





_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: [philosophical question] Direct component access: does it have	any use at all?

      • From: Miguel Arroz <email@hidden>
      • 





References: 


 >[philosophical question] Direct component access: does it have any	use at all? (From: Miguel Arroz <email@hidden>)






    

  • Prev by Date:
Re: [philosophical question] Direct component access: does it have	any use at all?

    • 

  • Next by Date:
Re: WO5.4 and Java Client

    • 

  • Previous by thread:
Re: [philosophical question] Direct component access: does it have	any use at all?

    • 

  • Next by thread:
Re: [philosophical question] Direct component access: does it have	any use at all?

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •