[Opensource] DBCreate servlet security question
Michael Rimov
rimovm at centercomp.com
Fri Jun 7 12:32:39 PDT 2002
At 07:15 PM 6/6/2002 -0400, you wrote:
>Hi,
>
>I know how we can administer security for DBObjects and Controllers
>in Expresso 4.1, but I couldn't find a way to restrict the
>users from accessing DBCreate servlet.
>Is there a way to setup some security for DBCreate servlet,
>so only the authorized users can create/initialize databases?
Hi Milen! You've stumbled on a bug specific to DBCreate unfortunately. I
agree it's a security issue [in fact it's listed in the known bug database]
I think the easiest way to fix it perhaps would be to make it a secured
object would be to derive from DBServlet, and override isAllowed() to first
check to see if it can list the security table at all. If an exception is
thrown then we assume that the db isn't created, and if it is then call
super() to check standard security information.
Thoughts on this?
-Mike
More information about the Opensource
mailing list