mugle-dev team mailing list archive

Thread
Date

[Bug 786016] Re: Direct Access to Services from client side

To: mugle-dev@xxxxxxxxxxxxxxxxxxx
From: Prageeth Silva <786016@xxxxxxxxxxxxxxxxxx>
Date: Sat, 21 May 2011 04:38:16 -0000
Reply-to: Bug 786016 <786016@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I hadn't thought about it that seriously too regarding what Matt is saying.But about the question Scott has, this is what I meant the other day. But as far as I remember, we have our own server-side security running and they are all in the ServiceImpls. And as far as the client is concerned, the only way to directly access the objects is to use the services and services only interface to the client via wrapper classes (they only take wrapper class as parameters and return only wrapper classes as well). the write/create methods were wrapped around by each object was to make the design look neater, not for any security purpose. So anyone actually can go instantiate a Service and use it, but it still requires a wrapper object and the client shall never have access to a data object.
Hope it made sense?

-- 
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786016

Title:
  Direct Access to Services from client side

Status in Melbourne University Game-based Learning Environment:
  Triaged

Bug description:
  While Prageeth has coded the casting of shared objects to datastore
  objects to have security checks, these can be bypassed by calling the
  shared services directly.  The type of these classes should be changed
  to Protected if possible to avoid this

References

[Bug 786016] [NEW] Direct Access to Services from client side
From: Scott Ritchie, 2011-05-20