Re: [philosophical question] Direct component access: does it have any use at all?
Re: [philosophical question] Direct component access: does it have any use at all?
- Subject: Re: [philosophical question] Direct component access: does it have any use at all?
- From: Miguel Arroz <email@hidden>
- Date: Tue, 6 Nov 2007 21:50:06 +0000
Hi!
Sorry, I totally forgot to answer this.
My point is not that it's hard to solve: it actually isn't, and
the answer is on the page I referred in the Practical WO book. My
point is that most people actually don't know that they have this
problem at all, so they don't fix it. I bet a lot of people have
deployed WO apps with obvious component names right there waiting to
be accessed in an non-expected way. And this includes at least one
Apple's app...
Yours
Miguel Arroz
On 2007/11/04, at 19:10, Galen Rhodes wrote:
You could try catching it in the dispatchRequest method in the
Application class. Something like the following (NOTE: this is
untested and completely Q&D (quick and dirty)):
@Override
public WOResponse dispatchRequest(WORequest req) {
if(req.uri().endsWith(".wo") || req.uri().indexOf(".wo/") > 0) {
return new WOResponse();
}
else {
return super.dispatchRequest(req);
}
}
--
Galen Rhodes
email@hidden
"There is no worse tyranny than to force a man to pay for what he
does not want merely because you think it would be good for him."
-- Robert Heinlein --
On Nov 4, 2007, at 11:55 AM, Miguel Arroz wrote:
Hi!
I was checking out the "Preventing Direct Component Access"
section in page 137 of Practical WO book. *
This is an easy issue to avoid, as long as you know that you
have to do it.
My question is: as most people don't, shouldn't this feature be
disabled by default? This is a huge security hole. Of course all
my pages are protected with a "IsAuthenticated" wrapper, but I
can't do the same to all my little subcomponents, due to keeping
my sanity. And obviously I have no ideia how will every
subcomponent react to this kind of access, specifically if they
will reveal info they they shouldn't or just throw an exception.
So, I don't see any use at all for this "feature", as we have
Direct Actions to do this decently. The only good use for this is
to get iTunes musics and Mac Pros for free! ;) Kidding, but
seriously, this COULD be a huge security breach on many apps out
there.
Should it be disabled in future versions of WO by default? I
vote for "Yes, ASAP!".
* For those of you who don't have Chuck's and Sacha's book (go
buy it NOW) the problem is that in ANY WO app you can type in the
URL bar: http://server.com/WebObjects/MyApp.woa/wo/
aComponentName.wo and you instantly load that component on the
browser. Yes, really.
Yours
Miguel Arroz
Miguel Arroz
http://www.terminalapp.net
http://www.ipragma.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40thissmallworld.com
This email sent to email@hidden
Miguel Arroz
http://www.terminalapp.net
http://www.ipragma.com
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden