Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #232 (new)

Opened 14 years ago

Last modified 13 years ago

Session accessing code can disable read security

Reported by: jamoore Owned by: jamoore
Priority: major Milestone: GatherReqs
Component: Security Version: 3.0-M3
Keywords: hibernate,filters,sessions Cc:
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description

Since read security is based on filters and the Hibernate session provides methods to disable filters, thereby turning read security off. This implies that class-based queries are, in general, dangerous.

One fix would be to wrap the Session with a proxy and catch all calls to disable filters. (The proxy would probably also need to implement SessionImplementor).

Change History (3)

comment:1 Changed 13 years ago by jmoore

  • Milestone changed from 3.0-M3 to 3.0-M4

Moving to milestone:3.0-M4. Need a good discussion between the service writers.

comment:2 Changed 13 years ago by jmoore

  • Milestone changed from 3.0-Beta2 to GatherReqs
  • Priority changed from minor to major

comment:3 Changed 13 years ago by jmoore

It's important to know just who we are going to allow to write services. If not just anyone (drop in 3rd party jars, for example), then we can leave this a bit raw.

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.110166 sec.)

We're Hiring!