The problem is that your model does not seem to be based on a "secret" and
site names don't have a lot of entropy.  I don't know enough about your
model to give you examples of possible attacks, but it seems to be similar
to an access control model where you ask to people to enter their user ID
but no password.  Saying "Oh, the client has to know a valid user name to
get in" would not be enough to make this a secure model.  If you store the
remote site information in the Session, this information is stored-server
side and a client never even gets the chance to have a go at circumventing
it.

The role model can be made to work.  You have a list of clients, or sites,
and you assign them roles.  You create a table of role-to-permissions or
simply declare the required roles in your JSP.  Then in your pages make the
following access check:

// This gives "MyApp/saveEditedPage.action" in your original example; you
may also use
// getServletPath() to give you "saveEditedPage.action"
String requestURI = request.getRequestURI();
// Implement this method yourself
String[] permittedRoles = getPermittedRoles(requestURI);
boolean accessAllowed = false;
for (int i = 0; i < permittedRoles.length; i++)
{
    if (request.isUserInRole(permittedRoles[i]))
    {
        accessAllowed = true;
        break;
    }
}

This is simply an example, of course, and I don't know whether such a scheme
would work for you.

----- Original Message ----- 
From: "Morten Andersen" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Friday, September 26, 2003 10:33 AM
Subject: Re: Authentication - based on request parameters


> Why is that a security-issue?
> I wan't the user to enter the site by cliking on a link or whatever, so
> that the user enters the site using that request. It should be OK, that
the
> user tryes to go to a restricted page by writing
> blabla:8080/MyApp/restrictedRequest.action?site=JustAGuess
>
> But if that is done and the user has not got rights to do it, then he is
> being rejected...
>
> Regards
>
> Morten Andersen
>
> PS: I did consider the role-based model form tomcat, but that is
> coarse-grained, in the sense that it is based on 1 role for one web-app,
> and that is not suficient.
>
>
> >Something else that occurs to me is that your security model appears to
> >depend on a GET parameter in the request ("?site=MySite").  A client
could
> >easily change this value to circumvent your security.  A better model is
> >that your logon page sets a value in the Session object to identify the
> >user.  Then the security depends on a very long, random session ID and it
is
> >vanishingly unlikely that a client will be able to change this ID (either
in
> >a URL or a cookie) and, by chance, hit on a valid session ID belonging to
> >another user.
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
>
> Morten Andersen
> Master of applied mathematics and computer science
> Amanuensis (in e-learning)
>
> The Maersk Institute of Production technology at Southern Danish
University
> www.mip.sdu.dk
> Campusvej 55
> DK-5230 Odense M
> Denmark
> +45 6550-3654
> +45 6171-1103
> Jabber id: [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to