Issue Details (XML | Word | Printable)

Key: TRAILS-68
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Critical Critical
Assignee: Kalle Korhonen
Reporter: Alejandro Scandroli
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Trails

security is not enforced on activateExternalPage, not for ListPage or EditPage

Created: 16/Jun/07 01:53 PM   Updated: 07/Apr/08 11:34 AM
Component/s: trails-security
Affects Version/s: 1.0.0, 1.1.0
Fix Version/s: 1.1.0

Time Tracking:
Not Specified


 Description  « Hide
Login as user in the "security" example and then try to access these links:
http://localhost:8080/external.svc?page=DefaultList&sp=Dorg.trails.security.domain.User
http://localhost:8080/external.svc?page=DefaultEdit&sp=HIBRN8%3ADorg.trails.security.domain.User%3A1

You can bypass security using bookmarks, or guessing the url which (as you can see) isn't difficult at all.

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Kalle Korhonen added a comment - 17/Jun/07 01:36 AM
Resolved by configuring security example to use SecurePersistenceImpl. Now when logged in as user, user list link gives you a list with that user only. Edit link with that user's id gives you the user edit page, but results in null pointer exception for any other user id. Better out-of-the box graceful exception handling is part of TRAILS-57.


Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.3-#344) - Bug/feature request - Atlassian news - Contact Administrators