> On 10 nov, 18:35, Stephen Haberman <[email protected]> wrote:
> > > In the current state, I honestly doubt that RequestFactory should
> > > be used in a productive environment, as it introduces really
> > > hard-to-overlook security problems.
> >
> > That was my impression was well.
>
> I think it really depends what your use case is.
That could be.
My biggest concern is the client-driven object graph navigation that RF
allows. E.g. let's say you have a method:
Employee find(int id) {
// check employee access
return em.find(Employee.class, id);
}
Stringing together `with("employer")`, etc., can a malicious client
return more than just the employee from this method? Of course employer
must pass checkClass. But checkClass aside, the client can pull
arbitrary object graph data back that isn't subject to a user-/method-
specific check.
Similarly on save, if I have:
void saveMyEmployee(Employee ee) {
// check employee access
em.persist(ee);
}
And a malicious client sends in a JSON request that sets both the
employee name and the employer name, will `em.persist` cascade save both
the employee and the employer?
(I admit I don't regularly use JPA, so my knowledge of their cascading
semantics is not what it should be. I did use Hibernate once where
"cascade all" was how we had it configured, but I don't know how common
that is.)
I would feel a whole lot better about RF if the fields/object graph
navigation allowed for each find/save/service method was specified
and enforced on the server-side rather than being a client-directed
feature.
> Have you looked at RequestFactory_2_1_1?
Yeah, I definitely like RequestFactoryMagic showing up, but I didn't see
anything related to restricting field/object graph navigation.
- Stephen
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
