if you care about security at all, when the user logs out you should be invalidating their session. if their session is gone, you can't get to any of this information because their page map is associated with their session.
Martin Benda wrote: > > Hi, > > isn't IAuthorizationStrategy#isInstantiationAuthorized() quite prone to > security related bugs? Authorization is checked only when a page (or any > other component) is instantiated - the page instance is then stored in a > page > map. After a user logs out he can still access these secured pages stored > in > the page map. This IMHO opens dangerous security holes in secured wicket > applications... > > One possible solution is to call Session.get().clear() when a user logs > out - > but it won't work when user's authorization can dynamically change during > his > session (e.g. roles are added or removed). > > Moreover, Session.get().clear() does not work in current wicket-2.0 > snapshot > (I just created WICKET-331 issue). > > I think that there should be a mechanism that checks authorization > everytime a > page instance is created or retrieved from a page map. Something like > isAccessAuthorized(Class<? extends Page> pageClass). Another question: do > we > need this fine-grained isInstantisationAuthorized(componentClass) at all? > > WDYT? > > Regards, > Bendis > > -- View this message in context: http://www.nabble.com/Is-IAuthorizationStrategy-isInstantiationAuthorized-prone-to-security-bugs--tf3299965.html#a9186214 Sent from the Wicket - Dev mailing list archive at Nabble.com.
