See inline....
wnqq wrote:
Sorry that I might mislead you... Let me explain it in more details...
"Person" can easily mislead us to think of "User", so let me use "Car"
instead for the following discussions.
As far as I know, the code generated by AppGen (and the upcoming AMP)
follows the tutorial.
That means, by providing an id of an Car, we can edit or delete any Car as
long as the id exists in the database.
While that is probably true [I have not tried it myself], I don't see
how the code generator should know what your security needs are.
Well, the current tutorial does allow a User to be able to edit ALL or NONE
of Cars. However, for a practical application, a User is allowed to control
only a certain number of Cars.
In that practical case, using id is not enough to restrict Users to access
unauthorized Cars.
I have done exactly the type of authorization checking that you are
talking about. IMO, the best solution is to lock the manager methods
using Acegi Security. For example, you can only allow the "save" method
to be called if the vehicle being saved is "owned" by the user or the
user has the "admin" role. Likewise, you can filter the returned object
or list of objects so only vehicle "owned" by the user will be returned
from the manager.
If you do your security that way then the generated code is fine. The
bonus feature to a setup like this is if you use DWR or a similar
framework to access your managers the security is inherited.
For example, assuming there are total of 100 Car records in the database.
Assuming 3 Cars belong to me, and I am allowed to do a filtered search
(select from car where owner = 'myname') and then edit the returned list.
Practically, I should not be able to edit the other 97 Cars. However, I can
simply access url=/editCar.html?id=99 and then change the owner of Car
(id=99) to be myself. So I can easily get one more car without paying any
money. :)
That's the security issue I was talking about.
There are several ways to prevent it:
(1) one is storing id in the session instead of showing it on the web page.
I agree with Matt that this is not a scalable solution in many
situations. What happens when a user can edit 1,000 objects, and you
have 1,000 users? 10,000 & 10,000? etc.
(2) another one is implementing an authorization mechanism which is similar
to what is applied to User.
User is an example of a good security implementation within AppFuse. Of
course there are other ways, but this is the best that we have come up with.
(3) etc
What do you think?
Nathan
mraible wrote:
On 3/9/07, wnqq <[EMAIL PROTECTED]> wrote:
In the Struts2 tutorial page:
http://appfuse.org/display/APF/Using+Struts+2
It shows how to use Struts2 to write CRUD for the entity "Person".
Because it use the id (the PK of Person) that is shown on the web page to
identity which record of person to use, it apparently causes a serious
security issue.
Why? I've been developing webapps this way for several years w/o any
issues.
I made a few changes to remove the id from the jsp pages and instead
store
it in the HttpSession.
What I changes include:
- PersonAction/Test,
- web-tests.xml,
- personList.jsp, etc.
Doesn't sound very scalable to me. I think you're a bit too paranoid. ;-)
Matt
If, in the future, you would like to update the tutorial as not showing
id
on the web, please let me know and it will be my pleasure to upload my
code
for your references.
--
View this message in context:
http://www.nabble.com/hide-id-of-person-from-the-web-pages-tf3376792s2369.html#a9398113
Sent from the AppFuse - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
http://raibledesigns.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
