Also be sure to set proper expirations on your page so that the back button button won't work, since that would pull from the browser cache and bypass that little check in the Actions.
Frank
From: "Zhang, Larry (L.)" <[EMAIL PROTECTED]> Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Subject: RE: design security issue Date: Tue, 8 Jun 2004 18:14:41 -0400
Thank you Frank and Yuanbo, for the points. Our application is set up in SSL and password encryption. I guess my question is pretty
detail oriented. See I want a design solution so that if the person coming to a page without visiting
previous page, I want to display the error page. Also since one manage has a lot of employees so I want to make sure the data is not somehow messed up.
Thanks.
-----Original Message----- From: Frank Zammetti [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 08, 2004 5:41 PM To: [EMAIL PROTECTED] Subject: RE: design security issue
Excellent point, thanks for adding it!
Frank
>From: "Wang, Yuanbo" <[EMAIL PROTECTED]> >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> >To: "Struts Users Mailing List" <[EMAIL PROTECTED]> >Subject: RE: design security issue >Date: Tue, 8 Jun 2004 15:32:16 -0500 > >One comment. Make sure your ActionServlet intercepts all URL patterns so >any HTTP request need to get session validated first. > >Yuanbo > >-----Original Message----- >From: Frank Zammetti [mailto:[EMAIL PROTECTED] >Sent: Tuesday, June 08, 2004 3:34 PM >To: [EMAIL PROTECTED] >Subject: RE: design security issue > > >To really do security properly, you really should externalize it using a > >product like Netegrity's SiteMinder. That would be my first suggestion, >but >there is considerable cost in something like that, so it's not right for > >everyone or every situation. > >So, you can do some more minor things within your aop that should give >you >decent results: > >(1) Don't do anything within any action unless a valid session is found. > >This will keep quite a few people out of your app on it's own since they > >won't be able to just hack together a URL with a query string. I >accomplish >this in one app I did by having an ActionHelpers class, and the first >thing >any of my Actions do is call a validateSession() static method. If no >session is present, forward right then and there to the logon page. You > >must be careful also that there is one and only one place in your code >that >creates a session, your logon Action most likely. > >(2) Make sure your running through SSL. Takes care of packet sniffing, >more >or less. > >(3) Encrypt the passwords in your database with a one-way hash >encryption. >Makes administration a little bit of a pain (no way to read the >password), >but it also makes hacking the system a little tougher. > >(4) Have good policies with regard to session timeouts and password >structure. A 5-minute timeout might be too short depeneding on the app, >but >it's good security-wise. Make sure you have solid rules for what a >password >must look like (i.e., 6-10 characters in length, at least one >non-alphabetic >character and one non-alphanumeric character, must be chaged once a >month, >etc.). > >These are all easy to implement, and will lead to a fairly secure >system. >Not perfect, but reasonably secure. Depending on your environment, it >might >be plenty. > >Frank > > >From: "Zhang, Larry (L.)" <[EMAIL PROTECTED]> > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Subject: design security issue > >Date: Tue, 8 Jun 2004 15:14:36 -0400 > > > >I have an web application on which the manager can view his manage tree > > >and > >select his employee for transactions (such as Perfromance Rating, >putting > >on Leave of absence). Definitely it is very vital in this case to keep >the > >security or make sure one data for one employee is submitted not for > >another employee. Another thinking is that if the user come to a page >via a > >bookmark or come to the page without visiting the previous page, we >should > >catch this event and disallow the further action. I need to come up >some > >design solutions so that this security is handled elegantly. Any ideas? >If > >you know some sites discussing this, please let me know. > > > >Thanks. > > > >Larry Zhang > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > >_________________________________________________________________ >Watch the online reality show Mixed Messages with a friend and enter to >win >a trip to NY >http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/ >01/ > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >
_________________________________________________________________ Watch the online reality show Mixed Messages with a friend and enter to win a trip to NY http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
