The auto-hashing sounds interesting to me--as long as the hash could
be seeded by the individual application developer (or even on a
per-user basis using a session ID, etc). I didn't totally follow what
you meant by the security manager scenario, though. Could you
elaborate a bit on that?
Thanks!
/dev/mrg
On 4/12/07, Robert Zeigler <robert..uregumption.com> wrote:
> So, I currently work around this issue by validating server-side that
> the user has the appropriate permissions to edit the object[s] that
> came back with the request. However, I[ve been thinking for awhile
> now of extending my existing squeeze adapter implementation (the one
> on Tassel) to address security concerns like this. One possibility
> would be to use some sort of hashing mechanism, as mentioned by
> Peter. Another possibility (which is something I'm leaning towards)
> is to allow for some sort of "security manager", where the squeeze
> adapter can "re-inflate" the object, then hand it off to the security
> manager for inspection to make sure that the user responsible for the
> current request has permission to access the object. Thoughts/comments?
>
> Robert
This archive was generated by hypermail 2.0.0 : Sat Apr 28 2007 - 09:09:52 EDT