Originally posted by George Stoianov:
I don't know if everyone is familiar with the gmail JavaScript problem, where a user was able to get through JavaScript in someone else's mail box.
Can you show me a link or two discussing this issue?
<a href="http://apress.com/book/bookDisplay.html?bID=10044" target="_blank" rel="nofollow">http://apress.com/book/bookDisplay.html?bID=10044</a><br />Author: Pro JSF and Ajax: Building Rich Internet Components, Apress
Originally posted by Sergey Smirnov:
Ability to have an access to the bean method directly using easy-to-reproduce URL string that works around the main jsf life-cycle sounds like a huge potential security hole. One method can return suggestion list, but another one cleans up all the record in the database. Does a protection against such violations exist in the project?
You did not get my point, sorry. The bean set is the same. So, if one of your page contains button that allows to clean up the records, (like <h:commandButton value="clean" action="#{bean.removeAll}"), the removeAll must be a public method independently of do you have and AJAX behavior or not.Originally posted by Gerardo Tasistro:
Well that's like running as root. You don't do it. Your bean only has methods that do what needs to be done.
<a href="http://labryssystems.net/pblog/index.php" target="_blank" rel="nofollow">Javaville Gazette</a><br />Non-cooperation with evil is a duty. -- Mahatma Gandhi
Well actually my comments have little to do with JSF and more to do with AJAX which can be applied without JSF. JSF is pretty much like JSP you can set permissions to files through the container My worries with AJAX is that calls are usually handled by one servlet...
<a href="http://labryssystems.net/pblog/index.php" target="_blank" rel="nofollow">Javaville Gazette</a><br />Non-cooperation with evil is a duty. -- Mahatma Gandhi
Originally posted by Gerardo Tasistro:
Eric my main concern with AJAX is that all the framworks seem to funnel it down one servlet that could be recycled over and over through the whole application. I agree completely that is like a form post, but it is a form whos URL looks the same from all your pages. So your standard "form in a page and I secure my page" security doesn't work the same.
Originally posted by Gerardo Tasistro:
Hello fellow ranchers. I seems the forum isn't letting me post all the sample code in this thread. Even with the [code] tag. So I'll invite y'all to see them tests here.
AJAX test
[ April 12, 2006: Message edited by: Gerardo Tasistro ]
So you made a portal in time and started grabbing people. This tiny ad thinks that's rude:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
|