RE: [OS-webwork] Security again

Mon, 23 Feb 2004 16:08:10 -0800 

Well, I'm not sure if you know, but method calls are disabled during
ParametersInterceptor, so I think that went a long way. 

I like your idea of utilizing AbstractUITag to help figure out what are
"acceptable" names. We could, in the future, intimately tie the two
together to do this dynamically I suppose (though that would alienate
people not using the UI tag library).

Let's keep this discussion open and be sure to open some jira issues
around this.

Patrick

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Micha³ Mosiewicz
> Sent: Saturday, February 21, 2004 4:41 AM
> To: webwork
> Subject: [OS-webwork] Security again
> 
> I must admit that I have not been focused too much on this list
recently,
> so
> I might have missed this topic, but I was thinking on the solution to
> prevent security attacks on ww code that is potentially vulnerable for
> many
> things. I remember Pat described those problems as "ease of access".
In
> fact - due to ease of access it's relatively easy to ommit serious
> security
> problems. In many cases it's tempting just to add more beans to your
> acctions that are exposed to ParameterInterceptor sometimes in a
manner
> you
> just haven't thinked of.
> 
> I once proposed some patches to ParameterInterceptor to filter values
that
> it passes using allow/deny regexp patterns. I'm using this solution
for
> myself. However the con is that I'm still actively involved in
creating
> security patterns. Humans are usually weakest links in security
chains, so
> I'm trying to eliminate myself from the process of defining security
by
> applying default "deny all" policy, then selectively opening only
> necessary
> things.
> 
> So now I would propose to patch AbstractUITag to collect all 'name'
> attribute values in a well-known place. Then this information may be
used
> by
> patched ParameterInterceptor to check what parameters are actually
allowed
> to pass.
> 
> -- Mike
> 
> 
> 
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Opensymphony-webwork mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

Reply via email to