You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by Paul Ferraro <pm...@columbia.edu> on 2005/03/01 00:04:53 UTC

Re: 3.1: Declarative Security Issue

Come to think of it, it's ok to leave the "/app" servlet mapping, so 
long as the web.xml includes an eager security constraint...

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>...</web-resource-name>
            <url-pattern>/app</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name></role-name>          <!-- i.e. nobody has access -->
        </auth-constraint>
    </security-constraint>

This way, a developer can still perform a server-side forward or include 
to a "/app" uri.

Paul

Paul Ferraro wrote:

> This is exactly why I did not base my friendly url implementation on 
> servlet filters...
> The web.xml files for my friendly url applications do not include a 
> servlet mapping for /app - only extension (i.e. *.something) mappings 
> for each type of service.
>
> Paul
>
> Howard Lewis Ship wrote:
>
>> I just had a thought.
>>
>> Say you require admin role to access the "/admin" folder of your app.
>>
>> You create a admin/DeleteUser page and think "only admins can access 
>> this".
>>
>> Along comes a hacker with knowledge of Tapestry, and types in the URL:
>>
>> /app?service=external&page=admin/DeleteUser&sp=l101010
>>
>> (or such)
>>
>> Unless there's some interior check inside pageValidate(), this may
>> work even though the user doesn't have the necessary access.
>>
>> Even if it isn't DeleteUser, but just ShowUserCreditCardInfo, this is 
>> not good.
>>
>> It's hard to know where  to put logic for this; the external service
>> will not be able to tell the difference between the two by the time it
>> gets invoked.  In many cases, it is perfectly valid for either URL
>> variation to be used.
>>
>> Just want people to put their thinking caps on.  The very flexibility
>> of Tapestry appears to be biting us here.  Perhaps we need a way to
>> ensure that the path URI matches the page's folder.
>>
>>  
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org