[jboss-user] [JBoss Seam] - Re: HowTo: When going to a page to enter data, pull from db
CptnKirk
do-not-reply at jboss.com
Sat Apr 21 23:02:18 EDT 2007
One down side to using EntityHome for generic crud is lack of built in security. One needs to be careful when using Homes for crud operations that allow or require RequestParameters. You need to ensure the operation on this ID is valid. You don't want to expose information you shouldn't and you definitely don't want to modify or destroy information you shouldn't.
For example, you don't want a user to update or delete another user's entity just by changing an ID in the URL and hitting return. Seam supports entity level security and you can probably extend a Home to double check access restrictions prior to operations. Likewise, you don't want private information available on lets say a user profile screen, to be available to anyone able to modify a URL.
My concern is that new Seam users may over use this feature and run into these problems down the road. Or that they won't bother to learn how entity level security works or how to configure it.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039576#4039576
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4039576
More information about the jboss-user
mailing list