but instantiation authorized is does just what it says. is the creation of a page/component possible
For extra checks you need: /** * @see wicket.authorization.IAuthorizationStrategy#isActionAuthorized( wicket.Component, * wicket.authorization.Action) */ public boolean isActionAuthorized(Component c, Action action) { return true; } and then the action: public static final Action RENDER = new Action(Action.RENDER); is used. johan On 2/27/07, Martin Benda <[EMAIL PROTECTED]> wrote:
Hi, isn't IAuthorizationStrategy#isInstantiationAuthorized() quite prone to security related bugs? Authorization is checked only when a page (or any other component) is instantiated - the page instance is then stored in a page map. After a user logs out he can still access these secured pages stored in the page map. This IMHO opens dangerous security holes in secured wicket applications... One possible solution is to call Session.get().clear() when a user logs out - but it won't work when user's authorization can dynamically change during his session (e.g. roles are added or removed). Moreover, Session.get().clear() does not work in current wicket-2.0snapshot (I just created WICKET-331 issue). I think that there should be a mechanism that checks authorization everytime a page instance is created or retrieved from a page map. Something like isAccessAuthorized(Class<? extends Page> pageClass). Another question: do we need this fine-grained isInstantisationAuthorized(componentClass) at all? WDYT? Regards, Bendis