Re: Authentication and bookmarkable pages
Hi, Cemal, Whoa, I completely missed that one, thanks! -Kirill On Thu, Jan 14, 2010 at 2:45 AM, Cemal Bayramoglu < jweekend_for...@cabouge.com> wrote: > Kirill, > > You should probably be not authorising component instantiation (Page > is a Component) instead, in your > IAuthorizationStrategy#isInstantiationAuthorized implementation. > Whether "render" is permitted is checked later in the lifecycle of a > component, as you say. > > Regards - Cemal > jWeekend > OO & Java Technologies, Wicket > Consulting, Development, Training > http://jWeekend.com > > > 2010/1/13 kirillkh : > > Hi all, > > > > I'm using wicket 1.4.5 with annotations-based authorization. I've > discovered > > what seems like a security problem in the authorization mechanism. > Namely, > > when certain bookmarkable page shouldn't be rendered according to the > > policy, it is still constructed, and only then Wicket discovers that it > > shouldn't be rendered. Is this a known problem? Why doesn't Wicket > enforce > > authorization restrictions in Page's constructor? > > > > Thanks, > > -Kirill > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: Authentication and bookmarkable pages
Kirill, You should probably be not authorising component instantiation (Page is a Component) instead, in your IAuthorizationStrategy#isInstantiationAuthorized implementation. Whether "render" is permitted is checked later in the lifecycle of a component, as you say. Regards - Cemal jWeekend OO & Java Technologies, Wicket Consulting, Development, Training http://jWeekend.com 2010/1/13 kirillkh : > Hi all, > > I'm using wicket 1.4.5 with annotations-based authorization. I've discovered > what seems like a security problem in the authorization mechanism. Namely, > when certain bookmarkable page shouldn't be rendered according to the > policy, it is still constructed, and only then Wicket discovers that it > shouldn't be rendered. Is this a known problem? Why doesn't Wicket enforce > authorization restrictions in Page's constructor? > > Thanks, > -Kirill > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Authentication and bookmarkable pages
Hi all, I'm using wicket 1.4.5 with annotations-based authorization. I've discovered what seems like a security problem in the authorization mechanism. Namely, when certain bookmarkable page shouldn't be rendered according to the policy, it is still constructed, and only then Wicket discovers that it shouldn't be rendered. Is this a known problem? Why doesn't Wicket enforce authorization restrictions in Page's constructor? Thanks, -Kirill
