Trails
  1. Trails
  2. TRAILS-68

security is not enforced on activateExternalPage, not for ListPage or EditPage

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.0.0, 1.1.0
    • Fix Version/s: 1.1.0
    • Component/s: trails-security
    • Labels:
      None
    • Number of attachments :
      0

      Description

      Login as user in the "security" example and then try to access these links:
      http://localhost:8080/external.svc?page=DefaultList&sp=Dorg.trails.security.domain.User
      http://localhost:8080/external.svc?page=DefaultEdit&sp=HIBRN8%3ADorg.trails.security.domain.User%3A1

      You can bypass security using bookmarks, or guessing the url which (as you can see) isn't difficult at all.

        Activity

        Hide
        Kalle Korhonen added a comment -

        Resolved by configuring security example to use SecurePersistenceImpl. Now when logged in as user, user list link gives you a list with that user only. Edit link with that user's id gives you the user edit page, but results in null pointer exception for any other user id. Better out-of-the box graceful exception handling is part of TRAILS-57.

        Show
        Kalle Korhonen added a comment - Resolved by configuring security example to use SecurePersistenceImpl. Now when logged in as user, user list link gives you a list with that user only. Edit link with that user's id gives you the user edit page, but results in null pointer exception for any other user id. Better out-of-the box graceful exception handling is part of TRAILS-57 .

          People

          • Assignee:
            Kalle Korhonen
            Reporter:
            Alejandro Scandroli
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: