[jboss-user] [JBoss Seam] - EntityHome and Hibernate Filters
jmatters
do-not-reply at jboss.com
Sat Jan 5 16:31:57 EST 2008
Hello,
I've got some unexpected behaviour with a hibernate filter in my seam application.
As long as the application is used normally the filter acts as expected. It seems as though all queries conducted through EntityQuery objects (for lists etc.) get the where clause set correctly by the filter. Therefore only elements that match the filter criteria are displayed to the user.
But for queries triggered by EntityHome objects the filter where clause is not set!
This means, by simply changing a request parameter id for an EntityHome object manually in the URL, the user gets a view of the object even though the filter parameter would not allow that.
I would have expected the filter to be more rigorous... I would actually consider that as a serious security flaw as I've read that quite a few applications use filters for separating data in multi tenant applications.
Is there any way to restrict these queries to the filter values? Or is this really a bug?
- Chris
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4117340#4117340
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4117340
More information about the jboss-user
mailing list