So what problem are you trying to address:
1) Users accessing data they are not entitled to access?
2) Users accessing data they are entitled to access, but in an automated
manner which allows them to datamine, etc?
3) General hacks?
#1 is what we usually deal with, storing permissions and validating them against each
resource they try to access. There are a number of mechanisms, just search the
archive for authentication and authorization.
#2 Is more of a workflow issue and sounds like a business requirement, like enforcing
a maximum number of resources which can be accessed within a given period of time.
#3 If your app is well designed (proper authentication/entitlements, validations,
separation of layers) you should be ok. ActionForms act as buffers and provide a
layer of security. Make sure that users cannot access jsps directly... (I'm hoping
someone else will give a more complete answer).
-jaafar
-----Original Message-----
From: Denis Avdic [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 11, 2003 9:15 AM
To: Struts Users Mailing List
Subject: Re: [OT] Application Security
Paul Thomas wrote:
>
> On 10/06/2003 17:47 Denis Avdic wrote:
>
>> Hello,
>>
>> This is really off topic, but since everyone is working in similar
>> conditions I though I'd ask you all a question.
>>
>> How is everyone handling security in your applications?
>>
>> More specifically, we have a site where someone violated our
>> acceptable use policy and basically tried to retrieve all our data
>> through a previously unseen hole. Now, we patched it and we can
>> definitely go on and keep patching holes when we find them, but I
>> would like to set up something to prevent that from happening in the
>> first place. I am talking about setting up an Intrusion detection
>> system or something similar, where I could be at least alerted in
>> real time that something funky is happening, and that I don't have to
>> accidentaly stumble across the action in the log file. How are you
>> (if you are) handling this? Are there open source tools to set this
>> up? Commercial?
>
>
>
> Sounds like you're following the M$ security model - throw any old
> crap out of the door then patch, patch, patch ... Still, Bill Gates
> has done very nicely out of it so maybe this method has commercial
> benefits.
>
> Seriously though, how do you expect anyone to be able to give an
> answer to this? At what level did the intrusion take place? OS?
> Service? Application server? Application?
>
I'll ignore the thinly veiled insult there.
What our site is basically about is that people can access some
information retrieved from a database. This person registered and
basically went and accessed all of the profiles stored on our server,
sequentialy, using an automated process (2 per second). This was in
violation of our acceptable use policy. My question is what do people
use if something like this happens, or how do they handle any other
intrusions on all other levels.
Denis
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
