[Seaside] Security

[Ross Boylan]

On Sun, 2009-05-03 at 11:44 -0300, Sebastian Sastre wrote:
> Hi Ross,
> it sounds very application specific. Session aside, Seaside will not directly
> help you on that. Specially on application data. That's responsibility of the
> app design. 
> Of course nothing will prevent you to implement the appropiate additional levels
> of security to suffice your app needs as you would in any other framework.
> cheers,
> sebastian

I think there is a part that relates to Seaside.  This an other replies
have suggested the issue is the design of my application or web security
in general; this may be because you all know that the stuff at the
Seaside level is OK.  I don't, and would still like info at the level. I
know those other levels matter too.  

Let me be more explicit. A request comes in through the web.  Assuming
an attacker can put anything they want in the request, there are two
concerns.  

First, the attacker could pretend to be someone else.  I need Seaside to
identify accurately who the requestor is or to reject forged requests
before they get to my code.  Previous discussion on the list indicates
that, with suitable precautions, an outsider can not hijack an existing
session.  Can someone with a legitimate session assume another identity?
Can someone without a session assume an identity?

Second, the request could attempt to execute some code that is outside
the normal flow of operations.  I don't know if the latter is possible
with Seaside; in other frameworks such as Zope it is possible (and it
has security systems to keep this in check).  Or they could start
traversing the object graph, even with the debugging interface off.
Again, I'm not clear: are either of these scenarios (access to code or
objects) possible.  Are they?

The possible application involves health information, so the security
requirements are quite strict.

Ross

> 
> > -----Mensaje original-----
> > De: seaside-bounces at lists.squeakfoundation.org 
> > [mailto:seaside-bounces at lists.squeakfoundation.org] En nombre 
> > de Ross Boylan
> > Enviado el: Saturday, May 02, 2009 18:23
> > Para: Seaside - general discussion
> > Asunto: [Seaside] Security
> > 
> > If I have data that I want to be sure can only be seen by specific
> > users, is there a way to do that in Seaside?
> > 
> > All the previous discussion I've seen on this list concerns session
> > security.  While that is necessary, it is not sufficient.  My 
> > concern is
> > more that someone with a legitimate session could use it to get at
> > something unauthorized.
> > 
> > I understand I can write my app to only show the right things; can a
> > determined client get around that?
> > 
> > Ross Boylan
> > 
> > 
> > _______________________________________________
> > seaside mailing list
> > seaside at lists.squeakfoundation.org
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> 
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>