Author | Message |
---|---|
ashoush
Posts: 25
|
Posted 00:34 Dec 01, 2009 |
Hello Dr. Sun,
Would you please shed some light on the correct way of testing the security settings? I think just copying the URL between two different browsers is not enough because for example a Submission creater class may call the getOnlineAssignmentById() and an "Access Denied" may be thrown because of that, but it doesn't mean that the submission creation is secured (or maybe it does???). So your explanation here would be really helpful.
Thanks, Arash
Last edited by ashoush at
00:34 Dec 01, 2009.
|
cysun
Posts: 2935
|
Posted 08:12 Dec 01, 2009 |
The way to look at this is to check whether the step you are securing can be bypassed. For example, to create an OnlineSubmission object, the step saveOnlineSubmission() cannot be bypassed, so if you secure that method, you know you are fine no matter what. Generally speaking, to secure an object, we need to look at creation, reading, updating, and deletion (CRUD) of the object. For creation, you should consider securing saveXXX() methods; for reading, the getXXX() methods; and for updating and deletion, the getXXX() and/or the saveXXX() methods. |
cysun
Posts: 2935
|
Posted 08:16 Dec 01, 2009 |
BTW, URL security is significantly more efficient than method/object security. So if some access control can be done using either URL security or method/object security, choose URL security. |