RE: Potential Security Flaw in Struts MVC

[Nanduri, Amarnath]

Any thing dealing with security, (including security validation) keep it in the request scope. That way no other developer (at runtime) can access the security data. [Nanduri, Amarnath]  -----Original Message----- From: Hogan, John [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 1:10 PM To: '[EMAIL PROTECTED]' Subject: RE: Potential Security Flaw in Struts MVC Wouldn't this not be a concern because the user would never be in the session on the target server? -----Original Message----- From: Jeff Trent [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 11:37 AM To: [EMAIL PROTECTED] Subject: Potential Security Flaw in Struts MVC I may be wrong about this (only been working w/ Struts for a week now).  But I do see a potential security flaw in struts that I would like to hear from others regarding.   Consider a simple set of struts classes that represent a user in a system. You would probably have classes that look something like this:     User                (the model representing the user)     UserForm        (an enrollment form for a new user)     UserAction        (Saves the UserForm information to db, etc)     The User class would have accessors and modifiers like getFirstName(), setFirstName(), getAdministrativeUserFlag(), setAdministrativeUserFlag(), etc.  The basic implementation of the UserForm is to take the UI form data, introspect the beans, and call the correct modifier of the UserForm bean based on the fields contained within the UI submission/form.  A developer of course would not expose the "Administrative User Flag" option on the UI for enrollment (that would be found possibly in some other administrative-level module).  However, if someone is familiar with the db schema and the naming convention the developer used, that user could subvert the application by writing his own version of the UI which contains an "Administrative User Flag" field (or any other field for that matter) and the basic form processing in Struts will kindly honor the request and set the "Administrative Flag" on the user.  Unless, of course, the developer makes special provisions to prevent this behavior.  However, its not entirely obvious to the struts user (in my opinion) that this is even a concern.  Am I making sense here?   - jeff