Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 1.0.0, 1.1.0
-
Fix Version/s: 1.1.0
-
Component/s: trails-security
-
Labels:None
-
Number of attachments :
Description
Login as user in the "security" example and then try to access these links:
http://localhost:8080/external.svc?page=DefaultList&sp=Dorg.trails.security.domain.User
http://localhost:8080/external.svc?page=DefaultEdit&sp=HIBRN8%3ADorg.trails.security.domain.User%3A1
You can bypass security using bookmarks, or guessing the url which (as you can see) isn't difficult at all.
Activity
Alejandro Scandroli
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Description |
Login as a user in the "security" example and then try to access this links: http://localhost:8080/external.svc?page=DefaultList&sp=Dorg.trails.security.domain.User http://localhost:8080/external.svc?page=DefaultEdit&sp=HIBRN8%3ADorg.trails.security.domain.User%3A1 You can bypass security using bookmarks, or guessing the url which (as you can see) isn't difficult at all. |
Login as user in the "security" example and then try to access these links: http://localhost:8080/external.svc?page=DefaultList&sp=Dorg.trails.security.domain.User http://localhost:8080/external.svc?page=DefaultEdit&sp=HIBRN8%3ADorg.trails.security.domain.User%3A1 You can bypass security using bookmarks, or guessing the url which (as you can see) isn't difficult at all. |
Kalle Korhonen
made changes -
| Assignee | Kalle Korhonen [ kaosko ] |
Kalle Korhonen
made changes -
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
Alejandro Scandroli
made changes -
| Status | Resolved [ 5 ] | Closed [ 6 ] |
Resolved by configuring security example to use SecurePersistenceImpl. Now when logged in as user, user list link gives you a list with that user only. Edit link with that user's id gives you the user edit page, but results in null pointer exception for any other user id. Better out-of-the box graceful exception handling is part of
TRAILS-57.