Hi Because not all our team are using Tapestry-hibernate, i have implemented the solution with contributions to tapestry-core.
I have decorated the ContextValueEncoder and ComponentEventLinkEncoder for link generation and request decoding. The developper specify if he wants to indirect activation/event context parameters by providing an annotation @HideDirectReference on its page. Also, i had to implement a ComponentRequestFilter to check if parameters must be decode with indirection map in function of the targeted resource. To implement the indirection map, at the moment i have used this API http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/index.html that is suggested by OWASP fundation. But it contains a lot of thing that Tapestry does by default. So i think that i will switch to a custom implementation based on Tapestry Strategy pattern that will be more flexible for exemple to handle cluster environment as you mention id. BTW two implementations already exists a simple algorithm based on Integer and another based on random key generation that has more effects on CSRF attacks. Also, i will investigate on the solution suggested by Thiago to handle different type of key generation policies. Best Regards, Christophe. 2010/2/2 Howard Lewis Ship <hls...@gmail.com> > Intresting. So perhaps instead of encoding the primary key of a > Hibernate entity directly, you'd instead maintain a lookup combining > user id and object id, mapped to a random string. The random string > would have to be in some kind of fast lookup table stored persistently > (perhaps in the DB for sharing across the cluster, if any). > > Anyway, that's the kind of idea that popped into my head ... what's > your solution looking like? > > On Tue, Feb 2, 2010 at 10:42 AM, cordenier christophe > <christophe.corden...@gmail.com> wrote: > > An old link > > > http://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Referencebut > > principle is there. > > > > 2010/2/2 cordenier christophe <christophe.corden...@gmail.com> > > > >> OWASP A4 is : Avoid Insecure Direct Object References (in URL in my > case) > >> > >> Suggested implementation is to indirect all direct reference to entity > ids > >> for exemple. > >> > >> BTW The solution provided by Howard works like a charm, i will add it to > my > >> guideline. > >> > >> Thanks again, > >> Christophe. > >> > >> 2010/2/2 Thiago H. de Paula Figueiredo <thiag...@gmail.com> > >> > >> On Tue, 02 Feb 2010 16:08:41 -0200, cordenier christophe < > >>> christophe.corden...@gmail.com> wrote: > >>> > >>> Actually i am trying to decorate ComponentEventLinkEncoder to > implement a > >>>> solution for OWASP A4 recommandation. > >>>> > >>> > >>> Which recommendation? Just curious. :) > >>> > >>> -- > >>> Thiago H. de Paula Figueiredo > >>> Independent Java, Apache Tapestry 5 and Hibernate consultant, > developer, > >>> and instructor > >>> Owner, software architect and developer, Ars Machina Tecnologia da > >>> Informação Ltda. > >>> http://www.arsmachina.com.br > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > >>> For additional commands, e-mail: users-h...@tapestry.apache.org > >>> > >>> > >> > > > > > > -- > Howard M. Lewis Ship > > Creator of Apache Tapestry > > The source for Tapestry training, mentoring and support. Contact me to > learn how I can get you up and productive in Tapestry fast! > > (971) 678-5210 > http://howardlewisship.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > >
