-
1. Re: Security issue - 'actionMethod' as parameter
shane.bryzak Mar 7, 2008 12:24 AM (in response to trouby)I don't quite understand the question. Perhaps you should post some of your code.
-
2. Re: Security issue - 'actionMethod' as parameter
trouby Mar 10, 2008 2:29 PM (in response to trouby)I use Seam component for rendering all JBPM tasks related to the logged user in a DT,
per row, I have the following link:
<s:button action="#{taskManager.loadTaskNode}" taskInstance="#{jTask}" value="Review" view="/taskInfo.xhtml"
taskManager.loadTaskNode is empty, its just annotated with @BeginTask for starting the task management,
The s:button generates a link such as (the link is not accurate!)
http://myserver/taskInfo.xhtml?taskId=44&actionMethod=taskManager.loadTaskNode
I want this link to be bookmarked and re-used later on, when I submit the link, I get an exception from the 'loadTaskNode' method,
It shouldn't happen as the taskInfo.xhtml page is restricted for logged in users only, I was expecting the login prompt soon before the method invocation,
This is just an example, I am pretty sure it has nothing to do with JBPM tasks as Seam generates 'actionMethod' request parameter for any invocations through seam links,
Asaf.
-
3. Re: Security issue - 'actionMethod' as parameter
pmuir Mar 11, 2008 9:23 PM (in response to trouby)AFAICS this should work, so please file a JIRA issue and attach a simple example of the problem that we can run (preferably not involving jBPM!).
-
4. Re: Security issue - 'actionMethod' as parameter
rzymek.rzymek.gmail.com May 13, 2008 2:20 PM (in response to trouby)The action will be called and this has nothing to do with the 'actionMethod' parameter.
By protecting only the taskInfo.xhtml page (via <page login-requred=
true
> in pages.xml) you only ensure that only logged-in users cat RENDER the page.You need to protect all your components as well, using the @Restrict annotation:
@Name("taskManager") @Restrict("#{s:hasRole('someRoleName')}) public class TaskManager { /* ... */ }
-
5. Re: Security issue - 'actionMethod' as parameter
rzymek.rzymek.gmail.com May 13, 2008 2:34 PM (in response to trouby)By the way: the actionMethod parameter is checked, so that it does not allow arbitrary values. Take a look at SafeActions:
/** * Maintains a set of "safe" actions that may be performed * by <s:link/>, as determined by actually parsing * the view. * * @author Gavin King * */ @Scope(ScopeType.APPLICATION) @BypassInterceptors @Name("org.jboss.seam.navigation.safeActions") @Install(precedence=BUILT_IN, classDependencies="javax.faces.context.FacesContext") public class SafeActions {
The actionMethod parameter is actually read in Pages.callAction method, which uses the SefeActions components.
As you can see value from actionMethod parameter is only executed when it appears on the corresponding page.