[jboss-user] [JBoss Seam] - Re: Multiple Domain Quesiton
fhh
do-not-reply at jboss.com
Sat Apr 7 13:37:08 EDT 2007
You said:
anonymous wrote :
| I was thinking about how to do this best too for some time and I really think this is useful, not "security by obscurity", because people wont start to fiddle with something if they don't know it's there.
|
anonymous wrote :
| This way normal users can't prove that /admin exists and wont start fiddling with it.
|
What if they find out anyway?
For security you should not rely on people "not fiddling" with your pages. The pages should be secure - FULL STOP. If you have pages that should not be visible to the public than deploy them to a different server or make them available over a different connector.
When it comes to security I am against any snake oil. It gives you the impression that things are secure while they are not - and that makes things worse than they would have been in the first place because it makes you careless.
Having said that I have to add that I am not against the feature suggested. I am just against using it as an security enhancement.
Regards
Felix
P.S.: When I said the "the hostname I use to reach your machine is entirely under my control" I was not talking about http referers. I was refering to the idea of the original poster to make security depend on the hostname you use to access the site.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4035536#4035536
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4035536
More information about the jboss-user
mailing list