The auto-hashing sounds interesting to me--as long as the hash could be seeded by the individual application developer (or even on a per-user basis using a session ID, etc). I didn't totally follow what you meant by the security manager scenario, though. Could you elaborate a bit on that?
Thanks! /dev/mrg On 4/12/07, Robert Zeigler <[EMAIL PROTECTED]> wrote:
So, I currently work around this issue by validating server-side that the user has the appropriate permissions to edit the object[s] that came back with the request. However, I[ve been thinking for awhile now of extending my existing squeeze adapter implementation (the one on Tassel) to address security concerns like this. One possibility would be to use some sort of hashing mechanism, as mentioned by Peter. Another possibility (which is something I'm leaning towards) is to allow for some sort of "security manager", where the squeeze adapter can "re-inflate" the object, then hand it off to the security manager for inspection to make sure that the user responsible for the current request has permission to access the object. Thoughts/comments? Robert
