I addressed this with a patch a long time ago. However, this is considered a "feature" by some developers so the patch could not be applied. I think I ended up writing a custom access controller that prevents this opposed to directly patching the jetspeed source.
Another approach, using the new security service, is to secure portlet sets within a user's PSML profile using a pre-defined security reference. Scott > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 15, 2003 2:01 PM > To: [EMAIL PROTECTED] > Subject: Security Hole > > Hi, > > I have seen one other reference in the mailing list regarding a security > hole, but I want to clarify this issue. The following url is displayed on > the address bar: > > http://localhost:8080/portal/media- > type/html/user/bstraw001/page/default.psml/js_pane/P-f2c3135036-10001 > > This url design was not present in version 1.3a2. > > By substituting the userid with another valid userid, I can see the other > user's content. > > Any thoughts? Mitigating controls? Missed configuration? > > __________________________________________________________________ > The NEW Netscape 7.0 browser is now available. Upgrade now! > http://channels.netscape.com/ns/browsers/download.jsp > > Get your own FREE, personal Netscape Mail account today at > http://webmail.netscape.com/ > > -- > To unsubscribe, e-mail: <mailto:jetspeed-user- > [EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:jetspeed-user- > [EMAIL PROTECTED]>
