Another issue our security audit picked up is when you request a bookmarkable
(and perhaps others?) URL when you're logged out, that request gets stored in
the HTTP session (this is an assumption based on how it appears to work).
When you then log in using the same session id, the user is taken
On Monday, 8 September 2014 6:44 p.m. Dan Haywood
d...@haywood-associates.co.uk wrote:
Is the URL for an entity? Or the URL for a (query) action?
I'm talking about bookmarkable URL's in the format
http://localhost:7001/rma/wicket/wicket/bookmarkable/Page class
Another issue our security review picked up was the default error page,
org.apache.isis.viewer.wicket.ui.pages.error.ErrorPage is vulnerable to XSS via
org.apache.isis.viewer.wicket.ui.errors.ExceptionStackTracePanel
In the constructor of ExceptionStackTracePanel, it adds a Label with the
We've got an Isis application that has failed a security review.
The security provider is Shiro. The UI is Wicket.
When a user with an admin role logs in, they get access to functionality not
available to standard users.
However, if a standard user types in the URL to one of the admin pages,
