Hi Craig.
If you're worried about security, you might want to upgrade to 3.0.3.
Anyway, as Paul points out one way to manage basic security is to have
a base page that your non-home pages derive from. Something like this:
public abstract class MyUserPage extends BasePage implements
PageValidateListener
{
public void pageValidate(PageEvent event)
{
// logged in?
Visit visit = (Visit)getVisit();
if ((visit != null) && visit.isUserLoggedIn())
{
return;
}
// no, so redirect
throw new PageRedirectException("Home");
}
}
Cheers,
Nick.
Craig Turner wrote:
Within my application I have used DirectLinks in several places. The
links appear like this:
http://localhost:8080/admin/app?service=direct/1/Situation/bookingById0&sp=480
The system is one where users are required to log in and I have a simple
login page.
Unfortunately, it it is currently possible to do the following:
- go to the login screen
- paste that link above into the URL bar
- be dumped at that page without having logged in
Presumably any method can be triggered through this mechanism provided
you know (or can guess) the key elements to construct a String. (which
might not be difficult if you were snooping http traffic).
Have I done something wrong in my implementation? Should I somehow be
deferring giving a session to my users until they've logged in?
Perhaps I should have the login page use a different system whereby the
user doesn't get a session until they log in. Still - is it possible
users could then use a different sort of URL hack to get hold of one of
the pages to grant them a session, and then try the same trick.
- C
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
