but instantiation authorized is does just what it says.
is the creation of a page/component possible
For extra checks you need:
/**
* @see
wicket.authorization.IAuthorizationStrategy#isActionAuthorized(
wicket.Component,
* wicket.authorization.Action)
*/
public boolean isActionAuthorized(Component c, Action action)
{
return true;
}
and then the action:
public static final Action RENDER = new Action(Action.RENDER);
is used.
johan
On 2/27/07, Martin Benda <[EMAIL PROTECTED]> wrote:
Hi,
isn't IAuthorizationStrategy#isInstantiationAuthorized() quite prone to
security related bugs? Authorization is checked only when a page (or any
other component) is instantiated - the page instance is then stored in a
page
map. After a user logs out he can still access these secured pages stored
in
the page map. This IMHO opens dangerous security holes in secured wicket
applications...
One possible solution is to call Session.get().clear() when a user logs
out -
but it won't work when user's authorization can dynamically change during
his
session (e.g. roles are added or removed).
Moreover, Session.get().clear() does not work in current wicket-2.0snapshot
(I just created WICKET-331 issue).
I think that there should be a mechanism that checks authorization
everytime a
page instance is created or retrieved from a page map. Something like
isAccessAuthorized(Class<? extends Page> pageClass). Another question: do
we
need this fine-grained isInstantisationAuthorized(componentClass) at all?
WDYT?
Regards,
Bendis
