Trails

security is not enforced on activateExternalPage, not for ListPage or EditPage

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Critical Critical
  • Resolution: Fixed
  • Affects Version/s: 1.0.0, 1.1.0
  • Fix Version/s: 1.1.0
  • Component/s: trails-security
  • Labels:
    None
  • Number of attachments :
    0

Description

Login as user in the "security" example and then try to access these links:
http://localhost:8080/external.svc?page=DefaultList&sp=Dorg.trails.security.domain.User
http://localhost:8080/external.svc?page=DefaultEdit&sp=HIBRN8%3ADorg.trails.security.domain.User%3A1

You can bypass security using bookmarks, or guessing the url which (as you can see) isn't difficult at all.

Activity

Hide
Permalink
Kalle Korhonen added a comment -

Resolved by configuring security example to use SecurePersistenceImpl. Now when logged in as user, user list link gives you a list with that user only. Edit link with that user's id gives you the user edit page, but results in null pointer exception for any other user id. Better out-of-the box graceful exception handling is part of TRAILS-57.

Show
Kalle Korhonen added a comment - Resolved by configuring security example to use SecurePersistenceImpl. Now when logged in as user, user list link gives you a list with that user only. Edit link with that user's id gives you the user edit page, but results in null pointer exception for any other user id. Better out-of-the box graceful exception handling is part of TRAILS-57.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.