In 1.4b3, the default PSML security settings are "owner only" so won't access other users content but there still seem to be some issue with some customization methods not enforcing the secuirty access.
If you have upgraded (or still use) an older release make sure to restrict the PSML files with the proper 'security-ref'. > -----Message d'origine----- > De : Weaver, Scott [mailto:[EMAIL PROTECTED]] > Envoy� : mercredi 15 janvier 2003 21:04 > � : 'Jetspeed Users List' > Objet : RE: Security Hole > > > I addressed this with a patch a long time ago. However, this > is considered a "feature" by some developers so the patch > could not be applied. I think I ended up writing a custom > access controller that prevents this opposed to directly > patching the jetspeed source. > > Another approach, using the new security service, is to > secure portlet sets within a user's PSML profile using a > pre-defined security reference. > > Scott > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, January 15, 2003 2:01 PM > > To: [EMAIL PROTECTED] > > Subject: Security Hole > > > > Hi, > > > > I have seen one other reference in the mailing list > regarding a security > > hole, but I want to clarify this issue. The following url > is displayed on > > the address bar: > > > > http://localhost:8080/portal/media- > > > type/html/user/bstraw001/page/default.psml/js_pane/P-f2c3135036-10001 > > > > This url design was not present in version 1.3a2. > > > > By substituting the userid with another valid userid, I can > see the other > > user's content. > > > > Any thoughts? Mitigating controls? Missed configuration? > > > > __________________________________________________________________ > > The NEW Netscape 7.0 browser is now available. Upgrade now! > > http://channels.netscape.com/ns/browsers/download.jsp > > > > Get your own FREE, personal Netscape Mail account today at > > http://webmail.netscape.com/ > > > > -- > > To unsubscribe, e-mail: <mailto:jetspeed-user- > > [EMAIL PROTECTED]> > > For additional commands, e-mail: <mailto:jetspeed-user- > > [EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
