[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1224) Consider integration of security with App Framework
1:03 p.m.
Consider integration of security with App Framework
---------------------------------------------------
Key: JBSEAM-1224
URL: http://jira.jboss.com/jira/browse/JBSEAM-1224
Project: JBoss Seam
Issue Type: Feature Request
Components: Core, Security
Affects Versions: 1.2.1.GA
Reporter: Pete Muir
Assigned To: Shane Bryzak
From the forums:
'One down side to using EntityHome for generic crud is lack of built in security. One
needs to be careful when using Homes for crud operations that allow or require
RequestParameters. You need to ensure the operation on this ID is valid. You don't
want to expose information you shouldn't and you definitely don't want to modify
or destroy information you shouldn't.
For example, you don't want a user to update or delete another user's entity just
by changing an ID in the URL and hitting return. Seam supports entity level security and
you can probably extend a Home to double check access restrictions prior to operations.
Likewise, you don't want private information available on lets say a user profile
screen, to be available to anyone able to modify a URL.'
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:05 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-1224) Consider integration of security with App Framework
[ http://jira.jboss.com/jira/browse/JBSEAM-1224?page=all ]
Pete Muir updated JBSEAM-1224:
------------------------------
JBoss Forum Reference:
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039575#...
Shane, I'm not sure if this is a sensible thing to do or not - feel free to close the
issue :)
Consider integration of security with App Framework
---------------------------------------------------
Key: JBSEAM-1224
URL: http://jira.jboss.com/jira/browse/JBSEAM-1224
Project: JBoss Seam
Issue Type: Feature Request
Components: Core, Security
Affects Versions: 1.2.1.GA
Reporter: Pete Muir
Assigned To: Shane Bryzak
From the forums:
'One down side to using EntityHome for generic crud is lack of built in security.
One needs to be careful when using Homes for crud operations that allow or require
RequestParameters. You need to ensure the operation on this ID is valid. You don't
want to expose information you shouldn't and you definitely don't want to modify
or destroy information you shouldn't.
For example, you don't want a user to update or delete another user's entity just
by changing an ID in the URL and hitting return. Seam supports entity level security and
you can probably extend a Home to double check access restrictions prior to operations.
Likewise, you don't want private information available on lets say a user profile
screen, to be available to anyone able to modify a URL.'
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:25 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1224) Consider integration of security with App Framework
[ http://jira.jboss.com/jira/browse/JBSEAM-1224?page=comments#action_12360160 ]
Jim Hazen commented on JBSEAM-1224:
-----------------------------------
I don't know if there's a generic approach to security to be applied here. I was
only suggesting a nod be given to it and that crud pages not be written with reckless
abandon. That said, I wonder if either a subclass or a Home + composition of an access
decider could enhance security a bit. Seam appears to provide most of this already via
@Restrict. However as far as I can tell, this method doesn't work unless you're
able to annotate the entity source and access the main securityRules.drl. What about
cases in which this isn't possible? Can these restrictions be defined via
components.xml? Can securityRules.drl be broken up and shipped with a packaged entity,
like pages.xml can be broken up for navigation?
I wish I had more than just an uneasy feeling. I'll think about this a little more.
Consider integration of security with App Framework
---------------------------------------------------
Key: JBSEAM-1224
URL: http://jira.jboss.com/jira/browse/JBSEAM-1224
Project: JBoss Seam
Issue Type: Feature Request
Components: Core, Security
Affects Versions: 1.2.1.GA
Reporter: Pete Muir
Assigned To: Shane Bryzak
From the forums:
'One down side to using EntityHome for generic crud is lack of built in security.
One needs to be careful when using Homes for crud operations that allow or require
RequestParameters. You need to ensure the operation on this ID is valid. You don't
want to expose information you shouldn't and you definitely don't want to modify
or destroy information you shouldn't.
For example, you don't want a user to update or delete another user's entity just
by changing an ID in the URL and hitting return. Seam supports entity level security and
you can probably extend a Home to double check access restrictions prior to operations.
Likewise, you don't want private information available on lets say a user profile
screen, to be available to anyone able to modify a URL.'
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:43 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1224) Consider integration of security with App Framework
[ http://jira.jboss.com/jira/browse/JBSEAM-1224?page=comments#action_12360161 ]
Pete Muir commented on JBSEAM-1224:
-----------------------------------
As you said, its something we should consider, if nothing else, provide a section in the
doc discussing a pattern for securing an app based on Home objects.
Consider integration of security with App Framework
---------------------------------------------------
Key: JBSEAM-1224
URL: http://jira.jboss.com/jira/browse/JBSEAM-1224
Project: JBoss Seam
Issue Type: Feature Request
Components: Core, Security
Affects Versions: 1.2.1.GA
Reporter: Pete Muir
Assigned To: Shane Bryzak
From the forums:
'One down side to using EntityHome for generic crud is lack of built in security.
One needs to be careful when using Homes for crud operations that allow or require
RequestParameters. You need to ensure the operation on this ID is valid. You don't
want to expose information you shouldn't and you definitely don't want to modify
or destroy information you shouldn't.
For example, you don't want a user to update or delete another user's entity just
by changing an ID in the URL and hitting return. Seam supports entity level security and
you can probably extend a Home to double check access restrictions prior to operations.
Likewise, you don't want private information available on lets say a user profile
screen, to be available to anyone able to modify a URL.'
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:29 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1224) Consider integration of security with App Framework
[ http://jira.jboss.com/jira/browse/JBSEAM-1224?page=comments#action_12397620 ]
Shane Bryzak commented on JBSEAM-1224:
--------------------------------------
I'm certain that we can integrate this with ACL-based security, once it's
implemented.
Consider integration of security with App Framework
---------------------------------------------------
Key: JBSEAM-1224
URL: http://jira.jboss.com/jira/browse/JBSEAM-1224
Project: JBoss Seam
Issue Type: Feature Request
Components: Core, Security
Affects Versions: 1.2.1.GA
Reporter: Pete Muir
Assigned To: Shane Bryzak
From the forums:
'One down side to using EntityHome for generic crud is lack of built in security.
One needs to be careful when using Homes for crud operations that allow or require
RequestParameters. You need to ensure the operation on this ID is valid. You don't
want to expose information you shouldn't and you definitely don't want to modify
or destroy information you shouldn't.
For example, you don't want a user to update or delete another user's entity just
by changing an ID in the URL and hitting return. Seam supports entity level security and
you can probably extend a Home to double check access restrictions prior to operations.
Likewise, you don't want private information available on lets say a user profile
screen, to be available to anyone able to modify a URL.'
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6130
days inactive
6414
days old
4 comments
3 participants
participants (3)
-
Jim Hazen (JIRA) -
Pete Muir (JIRA)
-
Shane Bryzak (JIRA)