security is not enforced on activateExternalPage, not for ListPage or EditPage

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.0.0, 1.1.0
Fix Version/s: 1.1.0
Component/s: trails-security
Labels:
None

Number of attachments :
0

Description

Login as user in the "security" example and then try to access these links:
http://localhost:8080/external.svc?page=DefaultList&sp=Dorg.trails.security.domain.User
http://localhost:8080/external.svc?page=DefaultEdit&sp=HIBRN8%3ADorg.trails.security.domain.User%3A1

You can bypass security using bookmarks, or guessing the url which (as you can see) isn't difficult at all.

Activity

Hide

Permalink

Kalle Korhonen added a comment - 17/Jun/07 1:36 AM

Resolved by configuring security example to use SecurePersistenceImpl. Now when logged in as user, user list link gives you a list with that user only. Edit link with that user's id gives you the user edit page, but results in null pointer exception for any other user id. Better out-of-the box graceful exception handling is part of ~~TRAILS-57~~.

Show

Kalle Korhonen added a comment - 17/Jun/07 1:36 AM Resolved by configuring security example to use SecurePersistenceImpl. Now when logged in as user, user list link gives you a list with that user only. Edit link with that user's id gives you the user edit page, but results in null pointer exception for any other user id. Better out-of-the box graceful exception handling is part of TRAILS-57 .

People

Assignee:

Kalle Korhonen

Reporter:

Alejandro Scandroli

Vote (0)

Watch (0)

Dates

Created:

16/Jun/07 1:53 PM

Updated:

07/Apr/08 11:34 AM

Resolved:

17/Jun/07 1:36 AM