Application security is crucial, but in my opinion it's no less important to have security around the data itself as well. These guys could have saved themselves from trouble by putting some security in the db ... http://www.computerweekly.com/blogs/public-sector/2007/09/npfit-security-warning-after-n.html#comments
> From: jer...@wickettraining.com > Date: Tue, 21 Dec 2010 23:22:23 -0600 > Subject: Re: Oracle & Wicket Starter Application Project > To: users@wicket.apache.org > > On Tue, Dec 21, 2010 at 6:12 PM, Eelco Hillenius > <eelco.hillen...@gmail.com>wrote: > > > > - using database roles to restrict access to data, and not relying wholly > > on application enforced security > > > > So if you want to determine whether user X can see button Y, you have > > to query the database for particular role membership? > > > Since he says "wholly", I'm assuming he means that the DB stands as the > "last resort" security. Ideally your application rules will apply the > security constraints correctly. But, if someone finds a way to punch a hole > in that security (i.e. change a primary key in the URL, which shouldn't be > there anyway without security around it, but sometimes people do this, which > leaves an app-level security vulnerability), the DB rules should kick in and > disallow what you were trying (hacking) to do. > > -- > Jeremy Thomerson > http://wickettraining.com > *Need a CMS for Wicket? Use Brix! http://brixcms.org*
