Hi!
Sorry, wrong mail-list... too many emails starting with WO...
Yours
Miguel Arroz
On 2007/11/04, at 16:40, Miguel Arroz wrote:
> Hi!
>
> I was checking out the "Preventing Direct Component Access"
> section in page 137 of Practical WO book. *
>
> This is an easy issue to avoid, as long as you know that you have
> to do it.
>
> My question is: as most people don't, shouldn't this feature be
> disabled by default? This is a huge security hole. Of course all my
> pages are protected with a "IsAuthenticated" wrapper, but I can't
> do the same to all my little subcomponents, due to keeping my
> sanity. And obviously I have no ideia how will every subcomponent
> react to this kind of access, specifically if they will reveal info
> they they shouldn't or just throw an exception.
>
> So, I don't see any use at all for this "feature", as we have
> Direct Actions to do this decently. The only good use for this is
> to get iTunes musics and Mac Pros for free! ;) Kidding, but
> seriously, this COULD be a huge security breach on many apps out
> there.
>
> Should it be disabled in future versions of WO by default? I vote
> for "Yes, ASAP!".
>
> * For those of you who don't have Chuck's and Sacha's book (go
> buy it NOW) the problem is that in ANY WO app you can type in the
> URL bar: http://server.com/WebObjects/MyApp.woa/wo/
> aComponentName.wo and you instantly load that component on the
> browser. Yes, really.
>
> Yours
>
> Miguel Arroz
>
> Miguel Arroz
> http://www.terminalapp.net
> http://www.ipragma.com
>
>
>
Miguel Arroz
http://www.terminalapp.net
http://www.ipragma.com
This archive was generated by hypermail 2.0.0 : Sun Nov 04 2007 - 11:58:15 EST