Smalltalk Frameworks & Tools Seaside Seaside General

Seaside Security (was: Seaside playground)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Torsten Bergmann
Reply | Threaded
Open this post in threaded view
|

Seaside Security (was: Seaside playground)

Torsten Bergmann
The old seaside 2.8 made it easy to switch to deploymentMode
using an application preference.

Since this is not supported in 3.0 it is often the question
how to disable developer facilities...

However - in old seaside app's it was often easily possible
to check for http://yourhost/seaside/browse and use the
web based Smalltalk browser (which is also accessible when
halos are enabled) and change the code in an existing
#renderContentOn: method adding some "trojan" code.

Only a browser refresh was required to execute it ...

I would vote for an easy way to switch between dev-mode
and a more secure production mode so people use it.
And an extra chapter on it in the seaside book!
 
Bye
T.
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Lukas Renggli
Reply | Threaded
Open this post in threaded view
|

Re: Seaside Security (was: Seaside playground)

Lukas Renggli
> However - in old seaside app's it was often easily possible
> to check for http://yourhost/seaside/browse and use the
> web based Smalltalk browser (which is also accessible when
> halos are enabled) and change the code in an existing
> #renderContentOn: method adding some "trojan" code.

The most secure and suggested way to gain security is to simply not
load the development code into the deployment image.

> Only a browser refresh was required to execute it ...

Or to remove of block these applications from your server.

> I would vote for an easy way to switch between dev-mode
> and a more secure production mode so people use it.

This is a one-click operation: you remove the
WADevelopmentConfiguration from the 'Application Defaults'.

> And an extra chapter on it in the seaside book!

This is by-the-way described in the seaside book:

    http://book.seaside.st/book/advanced/deployment/deployment-preparing

Of course it could be improved, if you have some additional text we
are happy to integrate it.

Lukas

--
Lukas Renggli
http://www.lukas-renggli.ch
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Free forum by Nabble Edit this page