-
1. Re: is link secure?
norman.richards Mar 21, 2007 10:16 PM (in response to y_zl)Seam does not verify the integrity of the URL. Your action should contain the appropriate security checks if that is important to the application.
-
2. Re: is link secure?
gavin.king Mar 21, 2007 10:41 PM (in response to y_zl)I'd like to know if the links generated by s:link s:button are secure.
They are just as secure as JSF form submissions. ie. Seam verifies that the method being invoked is really one that appears in an EL expression on the page.
However, it is of course your job to make sure that the actual data passed in parameters is safe (just like in any web fwk). -
3. Re: is link secure?
dcracauer Mar 21, 2007 10:52 PM (in response to y_zl)Any chance of having an s:secureLink tag, or secure="true' option on the link tag. When this is used, Seam would encrypt the parameter, then decrypt on the other side. This is what we currently do when we pass around ids in our struts app, and I'm going to need to find a simliar solution for our conversion to Seam.
-
4. Re: is link secure?
gavin.king Mar 21, 2007 10:56 PM (in response to y_zl)Use a page parameter, and implement the encrypt/decrypt in a JSF converter.
-
5. Re: is link secure?
christian.bauer Mar 22, 2007 3:06 AM (in response to y_zl)That is also a novel approach to entity security. You should not obscure URLs but rather have a multi-layer approach, where at the lowest layer you can never even load an entity from the database you do not have the access rights for.