Security through obscurity

April 25, 2008

A while ago I changed the title of this blog to include the new project I’m working on, Kauri, a web application platform.

From time to time, I look around what other people are doing and so stumbled across this Wicket in Action book. You can download a draft of the first chapter for free. As I started reading, my attention sharpened when I saw the statement “There are some problems with this REST approach”. Which, you wonder? Well, for example:

Say for instance that you are authorized to view only part of the product database. With the product ids being passed around in the URLs what stops you from just trying a code or writing down one you saw your colleague from department Z use (you noticed the id in the URL when getting some coffee)? You’ll have to explicitly check whether the user is allowed to see a certain result. This can mean quite a lot of work and chances are you forget something.

Certainly a valid, but not very strong approach to security!

Regardless of the above quote, Wicket is probably a great framework, but it doesn’t give a good impression to read such things.

Posted by Bruno Dumon
Filed in Uncategorized
3 Comments »

Global search and replace

April 24, 2008

Karel has been working on a great new Daisy feature: the ability to perform a search-and-replace across a selection of documents. A nice tour of this feature is in the documentation.

On the background, it is implemented as special kind of document task. There’s all sorts of nifty stuff involved, like handling of markup during search and replace, being able to keep the original casing of words, etc.

Unrelated to this search-and-replace, other recent improvements include:

Posted by Bruno Dumon
Filed in Uncategorized
Leave a Comment »