Page parameter (in Seam) or GET parameter (general) are often mentioned as a proper means to transfer information from one view to another. But obviously it is not a good idea to have sensitive data in the url, e.g //myserver/show.jsf?userId=12, since it is easy to manipulate these params and look at data someone is not permitted to look at.
So far I've been using what examples and literature show (couse until now was not important):
<s:link..>
<f:param value="#{user.id}" name="userId" />
</s:link>
in the JSF-file and in the according target page.xml
<param name="userId" value="#{userHome.userId}" />
I am interested in two things (still kind of new to Seam):
1) What different possible strategies of securing unpermitted access, to e.g. different user accounts, are you using, if you want to stick to page parameter? I'm sure some of you have been facing that challenge already. And what are the pros and cons of these strategies.
2) I want to make use of the Seam EntityHome objects here and there in the project since it is a comfortable handling of entities and kind of a DAO structure - but how to efficiently work with HomeObjects if not using page parameter?
Would appreciate to some thoughts and experiences from you guys. Thanks a lot.
josh
GET parameters are not inherently unsafe, all REST services rely on data being put in the URL. Parameters (GET or POST) are unsafe if your user detail page, in your example, does not check if you actually have access to user account "12". Also, don't think POST parameters are any harder to manipulate than GET parameters.
So, your code should check if you are entitled to view sensitive data. To handle unauthorized access, you can just throw an
org.jboss.seam.security.AuthorizationExceptionin thesetUserId()method if the user is setting an ID he is not entitled to. Launching this exception makes Seam follow the exception handling mechanism described inpages.xml(by default it redirects to the/error.xhtmlpage with an error message).