[Seaside] Seaside Security (was: Seaside playground)
renggli at gmail.com
Wed Jan 13 13:38:57 UTC 2010
> However - in old seaside app's it was often easily possible
> to check for http://yourhost/seaside/browse and use the
> web based Smalltalk browser (which is also accessible when
> halos are enabled) and change the code in an existing
> #renderContentOn: method adding some "trojan" code.
The most secure and suggested way to gain security is to simply not
load the development code into the deployment image.
> Only a browser refresh was required to execute it ...
Or to remove of block these applications from your server.
> I would vote for an easy way to switch between dev-mode
> and a more secure production mode so people use it.
This is a one-click operation: you remove the
WADevelopmentConfiguration from the 'Application Defaults'.
> And an extra chapter on it in the seaside book!
This is by-the-way described in the seaside book:
Of course it could be improved, if you have some additional text we
are happy to integrate it.
More information about the seaside