Security and Authorization

Protecting Against the AJAX of Evil


Authorization—what’s that all about? Did you think we’d already done security in Chapter 5? Shouldn’t we be finished with it? Do we really need to keep looking at security? Well, we did do some security work in Chapter 5, but we in no way finished the subject. In Chapter 5, we focused on authentication. We found strategies for letting our users prove who they are. However, just because our web site knows who we’re dealing with doesn’t mean that we know what to do with them. What rights to data do they have? What can they see? What can they do? Our security system is URL based, so we know we were able to allow certain users access to only certain pages, but everyone is allowed to use the RPC mechanism, so if that’s not secure, nothing is. On top of this, just because we know who’s logged in doesn’t mean we can even be sure whether the request is coming from our users; it could potentially come from a malicious script running in their browser.


Client Side Service Layer White List Forum Post Security Hole 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Jeff Dwyer 2008

Personalised recommendations