[jboss-user] [JBoss Seam] - Re: Multiple Domain Quesiton

[fhh]

You said:
anonymous wrote : 
  | I was thinking about how to do this best too for some time and I really think this is useful, not "security by obscurity", because people wont start to fiddle with something if they don't know it's there.
  | 

anonymous wrote : 
  | This way normal users can't prove that /admin exists and wont start fiddling with it. 
  | 

What if they find out anyway?

For security you should not rely on people "not fiddling" with your pages. The pages  should be secure - FULL STOP. If you have pages that should not be visible to the public than deploy them to a different server or make them available over a different connector.

When it comes to security I am against any snake oil. It gives you the impression that things are secure while they are not - and that makes things worse than they would have been in the first place because it makes you careless.

Having said that I have to add that I am not against the feature suggested. I am just against using it as an security enhancement.

Regards

Felix

P.S.: When I said the "the hostname I use to reach your machine is entirely under my control" I was not talking about http referers. I was refering to the idea of the original poster to make security depend on the hostname you use to access the site.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4035536#4035536

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4035536