Hi,
Yes, you are right. There are instance level security solutions such as
Acegi but it adds a performance overhead and are very difficult to maintain
because you have to assing perrmisions to each database registry. The same
happens with custom access level solutions.
if you are using Struts there is a transparent solution for that: HDIV (
http://www.hdiv.org)
HDIV guarantees integrity (no data modification) of all the data generated
by the server which should not be modified by the client (links, hidden
fields, combo values, radio buttons, destiny pages, etc.). Thanks to this
property HDIV helps to eliminate most of the vulnerabilities based on the
parameter tampering. In other words users can't update any value created by
the server and you don't have to do anything.
Having the same objective (integrity validation), HDIV has different
operation strategies: cipher, session and hash. If you select session
strategy HDIV stores server's generated data (ids) at HttpSession but you
can configure a cache size in order to delete old values. If you select
cipher strategy you don't have to worry about session data because HDIV
stores at the client (ciphered) as a hidden field or a parameter if it is a
link.
By the way you can use HDIV for one Action or for whole application, it's
configurable.
Nowadays HDIV project has versions for Struts 1.x and Strut2 (
http://cwiki.apache.org/S2PLUGINS/hdiv-plugin.html)
regards,
Gorka. <http://www.hdiv.org>
regards,
Gorka.
From: Anton Pussep <[EMAIL PROTECTED]>
To: Struts Users Mailing List < user@struts.apache.org>
Date: Thu, 28 Jun 2007 11:50:49 +0000
Subject: How to avoid users changing values of hidden fields using the
URL?
Hello,
I am not sure how to deal with the problem that a user can pass own
parameter values to the action class by changing the URL if there are
setters provided.
For example I often have a hidden field in a form that stores the ID and
the action class provides a getter and a setter. But the user can change
the ID by modifying the URL (just adding "?id=42"). The problem is that
this way he might access IDs that are not meant to be seen by him, they
might belong to other users.
I cannot see a good solution for that. A permission system just to check
if the user is allowed to see this ID seems to be quite an overhead to
me. Whereas storing the ID in the session is not very handy and I have
to take care that they are removed safely.
I am pretty sure that there is a good solution for that, I would be very
grateful for any hints!
Best,
Anton
From: "Jeff Amiel" < [EMAIL PROTECTED]>
To: "Struts Users Mailing List" <user@struts.apache.org>
Date: Thu, 28 Jun 2007 07:45:06 -0500
Subject: Re: How to avoid users changing values of hidden fields using the
URL?
On 6/28/07, Anton Pussep <[EMAIL PROTECTED] > wrote:
I cannot see a good solution for that. A permission system just to check
if the user is allowed to see this ID seems to be quite an overhead to
me. Whereas storing the ID in the session is not very handy and I have
to take care that they are removed safely.
The rule of web applications (heck...all multi-tiered apps) is to
NEVER EVER trust information sent by the client.
If a user needs to have access to a particular ID, you need to check
on every request....or store his 'privileges' in the session and check
there. (session should timeout after period of inactivity and/or be
refreshed with new privilege data when it changes)
