Task #232 (new)
Opened 18 years ago
Last modified 17 years ago
Session accessing code can disable read security
| Reported by: | jamoore | Owned by: | jamoore |
|---|---|---|---|
| Priority: | major | Milestone: | GatherReqs |
| Component: | Security | Version: | 3.0-M3 |
| Keywords: | hibernate,filters,sessions | Cc: | |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | n.a. |
| Sprint: | n.a. |
Description
Since read security is based on filters and the Hibernate session provides methods to disable filters, thereby turning read security off. This implies that class-based queries are, in general, dangerous.
One fix would be to wrap the Session with a proxy and catch all calls to disable filters. (The proxy would probably also need to implement SessionImplementor).
Change History (3)
comment:1 Changed 18 years ago by jmoore
- Milestone changed from 3.0-M3 to 3.0-M4
comment:2 Changed 17 years ago by jmoore
- Milestone changed from 3.0-Beta2 to GatherReqs
- Priority changed from minor to major
comment:3 Changed 17 years ago by jmoore
It's important to know just who we are going to allow to write services. If not just anyone (drop in 3rd party jars, for example), then we can leave this a bit raw.
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
Moving to milestone:3.0-M4. Need a good discussion between the service writers.