On Nov 4, 2007, at 8:55 AM, Miguel Arroz wrote:
Hi!
I was checking out the "Preventing Direct Component Access"
section in page 137 of Practical WO book. *
This is an easy issue to avoid, as long as you know that you have
to do it.
My question is: as most people don't, shouldn't this feature be
disabled by default? This is a huge security hole. Of course all my
pages are protected with a "IsAuthenticated" wrapper, but I can't
do the same to all my little subcomponents, due to keeping my
sanity. And obviously I have no ideia how will every subcomponent
react to this kind of access, specifically if they will reveal info
they they shouldn't or just throw an exception.
So, I don't see any use at all for this "feature", as we have
Direct Actions to do this decently. The only good use for this is
to get iTunes musics and Mac Pros for free! ;) Kidding, but
seriously, this COULD be a huge security breach on many apps out
there.
Should it be disabled in future versions of WO by default? I vote
for "Yes, ASAP!".
I can't think of any reason to have this / any valid use for this not
better done with a direct action. I agree this should be at least
disabled if not entirely removed. I'd guess that this got added as
part of features that never made it into the product or that have
been removed long, long ago.
Do you want to file a bug on this?
Chuck
* For those of you who don't have Chuck's and Sacha's book (go
buy it NOW) the problem is that in ANY WO app you can type in the
URL bar: http://server.com/WebObjects/MyApp.woa/wo/
aComponentName.wo and you instantly load that component on the
browser. Yes, really.
Yours
Miguel Arroz
Miguel Arroz
http://www.terminalapp.net
http://www.ipragma.com
--
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems.
http://www.global-village.net/products/practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list ([email protected])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to [EMAIL PROTECTED]
