Peter, just out of curiosity, can you point me to the documentation about turning off the loggining on an event by event basis? I did the plugin thing because I didn't see a simpler way.
-dave Peter J. Farrell wrote: > Dave Evartt said the following on 10/21/2009 03:32 PM: > >> Granted that there are security concerns with hidden calls to the >> application, but really, are they really any less secure than the same >> call from a browser link. I think not. but it's about the user >> experience, and if we're not concerned with that then we can just say, >> 'no javascript, no java, no cookies, and nothing but plain old text'. >> But since few developers fall into the Luddite category, and ajax really >> has nothing to do with the M2 architecture anyway. I wouldn't think >> twice about it. >> >> > Actually, this is a good point. Most people already have implemented > some sort of login / security process via filters or plugins in > Mach-II. If you run your AJAX outside of Mach-II, you have to re-create > those security measures again which lead to two implementations that are > trying to solve the same thing. Running AJAX through Mach-II means you > can leverage your already existing infrastructure. Having two > implementations is a security concern if one works slightly different > than the other. > > Just curious why you abort your AJAX events in your example code? If it > has to do with Mach-II debugging output, you can programmatically turn > that off on an event by event basis (see the doco for the event-arg you > need to set). > >> When it comes down to it, making an ajax call should never be treated >> any differently than any other call from the browser, regardless of the >> platform the application runs under, since it is always under the >> direct control of the browser anyway. >> >> > I totally agree normal browser requests and AJAX requests are just plain > old HTTP calls. It's just that AJAX is inside the user agent already so > it's probably going to do more stuff. They both of be secured the same way. > > You can do some additional security because most AJAX libraries some > additional information in the user agent string and/or HTTP request > headers that identify it as an AJAX request. You could easily write a > plugin that looks for this information for AJAX events in Mach-II. This > would disallow the casual person from requesting that even via the > browser url -- however it's no replacement for true security in case > somebody spoofs headers / data via some other mechanism. > >> All of this is of course, just my opinion. your mileage may differ. >> >> > Jordan, I'm curious where you read AJAX through Mach-II is bad. I think > is the past a few people have vocalize that they thought this might be > bad, but I've never been very convinced due to the lack of reasons. Bad > for bad sake isn't true reason to me. I guess Team Mach-II has never > really said otherwise to use AJAX in Mach-II, but from what we've talked > about for future versions of the framework -- AJAX integration / hooks / > tools for you to use will be expanded (my arm is being twisted a bit by > former team member Kyle Hayes to use DOJO -- he just wrote a book on > DOJO and I must admit people are over looking that framework). > > Best, > .Peter > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to Mach-II for CFML list. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/mach-ii-for-coldfusion?hl=en SVN: http://greatbiztoolsllc.svn.cvsdude.com/mach-ii/ Wiki / Documentation / Tickets: http://greatbiztoolsllc.trac.cvsdude.com/mach-ii/ -~----------~----~----~----~------~----~------~--~---
