Thank you Frank and Yuanbo, for the points. Our application is set up in SSL and password encryption. I guess my question is pretty detail oriented. See I want a design solution so that if the person coming to a page without visiting previous page, I want to display the error page. Also since one manage has a lot of employees so I want to make sure the data is not somehow messed up.
Thanks. -----Original Message----- From: Frank Zammetti [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 08, 2004 5:41 PM To: [EMAIL PROTECTED] Subject: RE: design security issue Excellent point, thanks for adding it! Frank >From: "Wang, Yuanbo" <[EMAIL PROTECTED]> >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> >To: "Struts Users Mailing List" <[EMAIL PROTECTED]> >Subject: RE: design security issue >Date: Tue, 8 Jun 2004 15:32:16 -0500 > >One comment. Make sure your ActionServlet intercepts all URL patterns so >any HTTP request need to get session validated first. > >Yuanbo > >-----Original Message----- >From: Frank Zammetti [mailto:[EMAIL PROTECTED] >Sent: Tuesday, June 08, 2004 3:34 PM >To: [EMAIL PROTECTED] >Subject: RE: design security issue > > >To really do security properly, you really should externalize it using a > >product like Netegrity's SiteMinder. That would be my first suggestion, >but >there is considerable cost in something like that, so it's not right for > >everyone or every situation. > >So, you can do some more minor things within your aop that should give >you >decent results: > >(1) Don't do anything within any action unless a valid session is found. > >This will keep quite a few people out of your app on it's own since they > >won't be able to just hack together a URL with a query string. I >accomplish >this in one app I did by having an ActionHelpers class, and the first >thing >any of my Actions do is call a validateSession() static method. If no >session is present, forward right then and there to the logon page. You > >must be careful also that there is one and only one place in your code >that >creates a session, your logon Action most likely. > >(2) Make sure your running through SSL. Takes care of packet sniffing, >more >or less. > >(3) Encrypt the passwords in your database with a one-way hash >encryption. >Makes administration a little bit of a pain (no way to read the >password), >but it also makes hacking the system a little tougher. > >(4) Have good policies with regard to session timeouts and password >structure. A 5-minute timeout might be too short depeneding on the app, >but >it's good security-wise. Make sure you have solid rules for what a >password >must look like (i.e., 6-10 characters in length, at least one >non-alphabetic >character and one non-alphanumeric character, must be chaged once a >month, >etc.). > >These are all easy to implement, and will lead to a fairly secure >system. >Not perfect, but reasonably secure. Depending on your environment, it >might >be plenty. > >Frank > > >From: "Zhang, Larry (L.)" <[EMAIL PROTECTED]> > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Subject: design security issue > >Date: Tue, 8 Jun 2004 15:14:36 -0400 > > > >I have an web application on which the manager can view his manage tree > > >and > >select his employee for transactions (such as Perfromance Rating, >putting > >on Leave of absence). Definitely it is very vital in this case to keep >the > >security or make sure one data for one employee is submitted not for > >another employee. Another thinking is that if the user come to a page >via a > >bookmark or come to the page without visiting the previous page, we >should > >catch this event and disallow the further action. I need to come up >some > >design solutions so that this security is handled elegantly. Any ideas? >If > >you know some sites discussing this, please let me know. > > > >Thanks. > > > >Larry Zhang > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > >_________________________________________________________________ >Watch the online reality show Mixed Messages with a friend and enter to >win >a trip to NY >http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/ >01/ > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > _________________________________________________________________ Watch the online reality show Mixed Messages with a friend and enter to win a trip to NY http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
