Seam Remoting’s default allow

Stumbled on another difference in approach between security types and developer types in the Seam remoting functionality.
Remoting makes it a doddle to easily access your Seam server side beans on the client side… including domain objects. E.g. if you had a server side bean called User.java:

@Entity
public class User {
private String username;
private String password;

//Getters and setters...
}

and you have a WebRemote method such as:

@WebRemote
public abstract User findUser (String searchQuery);

By default, when you call the remote method from JS, e.g.:

Seam.Component.getInstance("userManagementBean").findUser("bob", callback);

Seam returns all the fields in the XML response. If you don’t want to transfer some fields you have to explicitly deny them! This could catch a lot of developers out if they forget to explicity deny sensitive details and instead rely on the client side to not display the sensitive details, even though they’re right there in the XML response.
Seam Remoting scanner anyone?

September 8, 2008 | Filed Under Design, frameworks 

Comments

3 Responses to “Seam Remoting’s default allow”

  1. jai on February 26th, 2009 1:36 pm

    more technical :(

  2. stephendv on February 26th, 2009 1:42 pm

    “more technical :(”

    Need a bit more detail than a sad face.

  3. Javier Castañón on May 13th, 2009 5:35 pm

    I think this is pretty clear. Even Seam documentation is explicit about issues with security when using @WebRemote

    http://tinyurl.com/put3st

Leave a Reply




Powered by WP Hashcash