Trails
  1. Trails
  2. TRAILS-68

security is not enforced on activateExternalPage, not for ListPage or EditPage

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.0.0, 1.1.0
    • Fix Version/s: 1.1.0
    • Component/s: trails-security
    • Labels:
      None
    • Number of attachments :
      0

      Description

      Login as user in the "security" example and then try to access these links:
      http://localhost:8080/external.svc?page=DefaultList&sp=Dorg.trails.security.domain.User
      http://localhost:8080/external.svc?page=DefaultEdit&sp=HIBRN8%3ADorg.trails.security.domain.User%3A1

      You can bypass security using bookmarks, or guessing the url which (as you can see) isn't difficult at all.

        Activity

        Alejandro Scandroli made changes -
        Field Original Value New Value
        Description Login as a user in the "security" example and then try to access this links:
        http://localhost:8080/external.svc?page=DefaultList&sp=Dorg.trails.security.domain.User
        http://localhost:8080/external.svc?page=DefaultEdit&sp=HIBRN8%3ADorg.trails.security.domain.User%3A1

        You can bypass security using bookmarks, or guessing the url which (as you can see) isn't difficult at all.
        Login as user in the "security" example and then try to access these links:
        http://localhost:8080/external.svc?page=DefaultList&sp=Dorg.trails.security.domain.User
        http://localhost:8080/external.svc?page=DefaultEdit&sp=HIBRN8%3ADorg.trails.security.domain.User%3A1

        You can bypass security using bookmarks, or guessing the url which (as you can see) isn't difficult at all.
        Kalle Korhonen made changes -
        Assignee Kalle Korhonen [ kaosko ]
        Hide
        Kalle Korhonen added a comment -

        Resolved by configuring security example to use SecurePersistenceImpl. Now when logged in as user, user list link gives you a list with that user only. Edit link with that user's id gives you the user edit page, but results in null pointer exception for any other user id. Better out-of-the box graceful exception handling is part of TRAILS-57.

        Show
        Kalle Korhonen added a comment - Resolved by configuring security example to use SecurePersistenceImpl. Now when logged in as user, user list link gives you a list with that user only. Edit link with that user's id gives you the user edit page, but results in null pointer exception for any other user id. Better out-of-the box graceful exception handling is part of TRAILS-57 .
        Kalle Korhonen made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Alejandro Scandroli made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Kalle Korhonen
            Reporter:
            Alejandro Scandroli
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: