On Thu, Nov 4, 2010 at 12:22 AM, Jeremy Thomerson
jer...@wickettraining.com wrote:
That part of the thread is what I was replying to - that it was then
insecure because the DB ID is in the URL. This is not a standard way of
doing most links in Wicket - because of the security leak
They
That part of the thread is what I was replying to - that it was then
insecure because the DB ID is in the URL. This is not a standard way of
doing most links in Wicket - because of the security leak
A workaround is to use one-time keys (tokens) in a map that you set for the URL
and then
On Thu, Nov 4, 2010 at 4:47 AM, Wilhelmsen Tor Iver toriv...@arrive.no wrote:
You could maybe even implement that as a custom URLCodingStrategy or whatever
new mechanism in 1.5 is better suited for the task. The simplest case would
be just to have a singleton mapper with two methods, one for
That's one more reason why I use UUID's for my object ids. They're
harder to spoof.
Security by obscurity :-)
Checking the URL is not an option ... any web app claiming to be secure must do
that no what what the surrogate database key looks like *imho*
Also, if the userID is the id of the
On Wed, Nov 3, 2010 at 7:39 PM, Peter Ertl pe...@gmx.org wrote:
Also, if the userID is the id of the currently logged in user why not just
store it in your wicket session when logging on to make it inaccessible for
the client and prevent spoof altogether?
Obviously this is more secure. And
hi!
what better way to send an object to webpage?
I'm sending in constructor but the URI is not friendly.
thanks!
Passing objects to webpage via constructor is fine if you feel
comfortable with it. If you wanna change URI you should take a look at
Wicket URL Coding strategies:
https://cwiki.apache.org/WICKET/url-coding-strategies.html. Using coding
strategies you should be able to change URL as you
You could pass the id of the object (if possible) as a
PageParameter. You can then use a bookmarkable URL for your page.
You'll have to lookup the object from the db, though. Again, this is
only possible if the object is an entity.
On Mon, Nov 1, 2010 at 6:04 PM, andrea del bene
On Mon, Nov 1, 2010 at 5:09 PM, James Carman ja...@carmanconsulting.comwrote:
You could pass the id of the object (if possible) as a
PageParameter. You can then use a bookmarkable URL for your page.
You'll have to lookup the object from the db, though. Again, this is
only possible if the
On Mon, Nov 1, 2010 at 11:30 PM, Jeremy Thomerson
jer...@wickettraining.com wrote:
And, of course, it opens you up to doing more security checks i.e., you
have editUserProfile.html?userID=123 - now you have to check that the signed
in person is allowed to edit whatever user they are trying
10 matches
Mail list logo