You said: anonymous wrote : | I was thinking about how to do this best too for some time and I really think this is useful, not "security by obscurity", because people wont start to fiddle with something if they don't know it's there. |
anonymous wrote : | This way normal users can't prove that /admin exists and wont start fiddling with it. | What if they find out anyway? For security you should not rely on people "not fiddling" with your pages. The pages should be secure - FULL STOP. If you have pages that should not be visible to the public than deploy them to a different server or make them available over a different connector. When it comes to security I am against any snake oil. It gives you the impression that things are secure while they are not - and that makes things worse than they would have been in the first place because it makes you careless. Having said that I have to add that I am not against the feature suggested. I am just against using it as an security enhancement. Regards Felix P.S.: When I said the "the hostname I use to reach your machine is entirely under my control" I was not talking about http referers. I was refering to the idea of the original poster to make security depend on the hostname you use to access the site. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4035536#4035536 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4035536 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
