Re: protecting URL mounted targets

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: protecting URL mounted targets

Eelco Hillenius
I already implemented it. I didn't make it the default behavior
though, and for the sake of simplicity, I made it a app-wide setting,
rather then providing the ability to set it for separate targets.

The feature can be turned on like this:

getSecuritySettings().setEnforceMounts(true);

If true, only requests through the path are allowed; if, for instance
a mounted bookmarkable page is accessed using a URL with a
bookmarkablePage parameter, an error code (request target) will be
issued, so that the client gets:

HTTP ERROR: 403
Direct access not allowed for mounted targets

It will also be logged with level error.

Eelco


On 9/30/06, Eelco Hillenius <[hidden email]> wrote:

> While writing Wicket In Action, I thought of a missing feature of URL
> mounting. If you want to protect your application with some URL
> schema, URL mounting would potentially be suitable for that. However,
> mounted resources are currently still available using e.g. a
> bookmarkablePage parameter as well. I think we should come up with
> some way to protect this, maybe by default, so that a mounted request
> target can *only* be reached through that URL.
>
> WDYT? Any volunteers for implementing this? Shouldn't be too hard, but
> I'm very busy with making the book's deadline myself.
>
> Eelco
>

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Wicket-develop mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wicket-develop