5 Replies Latest reply on Mar 22, 2007 3:06 AM by christian.bauer

    is link secure?

    y_zl

      Hi!

      I'd like to know if the links generated by s:link s:button are secure.

      for example

      <s:link action="#{AA.method}" value="XXX">
       <f:param name="id" value="#{object.id}" />
      </s:link>
      


      is it possible for somebody to copy this link to the browser and modify the object id in the current session so that he could see the content of other objects?

      Thanks

        • 1. Re: is link secure?

          Seam does not verify the integrity of the URL. Your action should contain the appropriate security checks if that is important to the application.

          • 2. Re: is link secure?
            gavin.king

             

            I'd like to know if the links generated by s:link s:button are secure.


            They are just as secure as JSF form submissions. ie. Seam verifies that the method being invoked is really one that appears in an EL expression on the page.

            However, it is of course your job to make sure that the actual data passed in parameters is safe (just like in any web fwk).

            • 3. Re: is link secure?
              dcracauer

              Any chance of having an s:secureLink tag, or secure="true' option on the link tag. When this is used, Seam would encrypt the parameter, then decrypt on the other side. This is what we currently do when we pass around ids in our struts app, and I'm going to need to find a simliar solution for our conversion to Seam.

              • 4. Re: is link secure?
                gavin.king

                Use a page parameter, and implement the encrypt/decrypt in a JSF converter.

                • 5. Re: is link secure?
                  christian.bauer

                  That is also a novel approach to entity security. You should not obscure URLs but rather have a multi-layer approach, where at the lowest layer you can never even load an entity from the database you do not have the access rights for.