Hi!I was checking out the "Preventing Direct Component Access" section in page 137 of Practical WO book. *
This is an easy issue to avoid, as long as you know that you have to do it.
My question is: as most people don't, shouldn't this feature be disabled by default? This is a huge security hole. Of course all my pages are protected with a "IsAuthenticated" wrapper, but I can't do the same to all my little subcomponents, due to keeping my sanity. And obviously I have no ideia how will every subcomponent react to this kind of access, specifically if they will reveal info they they shouldn't or just throw an exception.
So, I don't see any use at all for this "feature", as we have Direct Actions to do this decently. The only good use for this is to get iTunes musics and Mac Pros for free! ;) Kidding, but seriously, this COULD be a huge security breach on many apps out there.
Should it be disabled in future versions of WO by default? I vote for "Yes, ASAP!".
* For those of you who don't have Chuck's and Sacha's book (go buy it NOW) the problem is that in ANY WO app you can type in the URL bar: http://server.com/WebObjects/MyApp.woa/wo/aComponentName.wo and you instantly load that component on the browser. Yes, really.
Yours Miguel Arroz Miguel Arroz http://www.terminalapp.net http://www.ipragma.com
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
