[jboss-dev-forums] [Design of Messaging on JBoss (Messaging/JBoss)] - Re: moving SecurityAspect to be an interceptor
ataylor
do-not-reply at jboss.com
Thu Feb 7 06:34:04 EST 2008
That would be exploitable since a rogue client could just send (guess) someone else's user id. Is that different from how the createconnectionrequest works now.
Instead you could maintain a map of packet target id to user id in the server side filter and use that.
That was my first solution but the interceptors wouldnt get called if the connection was removed by the server and we would end up with an ever growing map.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127325#4127325
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4127325
More information about the jboss-dev-forums
mailing list