[Seaside] Seaside Security (was: Seaside playground)

Lukas Renggli renggli at gmail.com
Wed Jan 13 13:38:57 UTC 2010

> However - in old seaside app's it was often easily possible
> to check for http://yourhost/seaside/browse and use the
> web based Smalltalk browser (which is also accessible when
> halos are enabled) and change the code in an existing
> #renderContentOn: method adding some "trojan" code.

The most secure and suggested way to gain security is to simply not
load the development code into the deployment image.

> Only a browser refresh was required to execute it ...

Or to remove of block these applications from your server.

> I would vote for an easy way to switch between dev-mode
> and a more secure production mode so people use it.

This is a one-click operation: you remove the
WADevelopmentConfiguration from the 'Application Defaults'.

> And an extra chapter on it in the seaside book!

This is by-the-way described in the seaside book:


Of course it could be improved, if you have some additional text we
are happy to integrate it.


Lukas Renggli

More information about the seaside mailing list