Mike Kienenberger wrote:
Rick Reumann <[EMAIL PROTECTED]> wrote:
Mike Kienenberger wrote the following on 9/17/2004 2:17 PM:
Any time you allow an end user an opportunity to specify a parameter for
toreflection, you're introducing security concerns.
However, a "secure" version could be created by only allowing a dispatch
a hardcoded list of methods.But your approach to encoding could do the same thing for a dispatch param so I'm not certain that using an Action vs DispatchAction is any more secure.
I must not be understanding you.
If you have url of "/page&method=X" and use reflection to resolve X, then you have far less control than if you simply check to see if "X" is in your list of approved methods.
On the other hand, a pure action with /page&SaveButtonName=ButtonValue is always going to go to my save code if the "SaveButtonName" parameter exists, and it'll go to my default code if not. There's no other option. That's as secure as it gets.
On the other hand, if you're just saying that you can encode your reflection dispatch name so that "/page&method=X" becomes "/a1b2c3d4e5.psc", you've just made the security more obscure. If someone figures out your encoding, they can still bypass it.
The first rule of computer security programming is never trust user data. Let users specify indexes of items in lists, never the item values themselves.
I am not sure what you are saying, Mike. Suppose we have use the following actions. One action has the following:
1. SOLUTION ONE
Action that Chooses What CRUD to Use from the Button
public ActionForward execute(...) {
String command = getCommandName(); if("save".equals(command)) {
save(request.getParameter("SaveButtonName"));
} else if ("delete").equals(command)) {
delete(request.getParameter("DeleteButtonName"));
}
}
return mapping.getInput();
}2. SOLUTION TWO: Dispatchers
Action that Chooses what CRUD Method to Call Via Reflection
public ActionForward execute(...) {
// Dispatch util is a method to get the methodName and use one of the following methods by reflection
forward = new DispatchUtil().dispatch(this,mapping,form,request,response);
}
public ActionForward save( ...) {
String ButtonValue = request.getParameter("SaveButtonName");
// use ButtonValue
} public ActionForward delete( ... ) {
String ButtonValue = request.getParameter("DeleteButtonName")'
// use ButtonValue
}
}3. SOLUTION THREE:
Plain Old Action Objects
SaveButtonAction
public ActionForward execute (....) {
String ButtonValue = request.getParameter("SaveButtonName");
/// do whatever
}DeleteButtonAction
public ActionForward execute (....) {
String ButtonValue = request.getParameter("DeleteButtonName");
/// do whatever
}Isn't the third option in fact the least safe? And, isn't the dispatch option at least tied for the most safe? The safety of the parameter and its value is in all three models, but in the plain old action object, that is the only "distance" between a hack and the application, whereas in the other cases there are added levels of security due to the complexity of the internal logic. Ultimately the level of complexity and the bottom security the name/value pair from a request parameter for what must be deleted, etc. is the same in ALL cases. What is different is that the object for deleting is an obvious target whereas the operations are hidden in an object represening, in essence, an actor rather than an action.
Please do not take this question as disingenuous or otherwise as an attack on you. I don't even know you. This is just an attempt to exchange ideas. I don't mean to suggest you would react that way but I have gotton gun shy on this list. Thanks. I am interested in your answers.
Michael McGrady
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
