Frank
From: "Harjot Narula" <[EMAIL PROTECTED]> Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Subject: Fw: design security issue Date: Wed, 9 Jun 2004 19:02:22 +0530
To implement a similar behaviour struts provides with the saveToken functionlaity. Look at it here http://www.scioworks.net/camino_doc/manual/strutsIntro/struts1_0.html
Harjot
> ----- Original Message -----
> From: "Frank Zammetti" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, June 09, 2004 5:22 AM
> Subject: RE: design security issue
>
>
> > Well, you could do something as simple as setting a session attribute
> every
> > time an Action is called that stores what page was accessed, but before
> > doing that you check what value is there already and if it's not the
> > previous page, or whatever page might be valid before the one your
> > processing, forward to the error page. There's probably a more elegant
> way
> > to do that in Struts, but this is pretty simple too, should do the
trick.
> >
> > Also be sure to set proper expirations on your page so that the back
> button
> > button won't work, since that would pull from the browser cache and
bypass
> > that little check in the Actions.
> >
> > Frank
> >
> >
> > >From: "Zhang, Larry (L.)" <[EMAIL PROTECTED]>
> > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
> > >To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
> > >Subject: RE: design security issue
> > >Date: Tue, 8 Jun 2004 18:14:41 -0400
> > >
> > >Thank you Frank and Yuanbo, for the points. Our application is set up
in
> > >SSL and password encryption. I guess my question is pretty
> > >detail oriented. See I want a design solution so that if the person
> coming
> > >to a page without visiting
> > >previous page, I want to display the error page. Also since one manage
> has
> > >a lot of employees so I want to make sure the data is not somehow
messed
> > >up.
> > >
> > >Thanks.
> > >
> > >-----Original Message-----
> > >From: Frank Zammetti [mailto:[EMAIL PROTECTED]
> > >Sent: Tuesday, June 08, 2004 5:41 PM
> > >To: [EMAIL PROTECTED]
> > >Subject: RE: design security issue
> > >
> > >
> > >Excellent point, thanks for adding it!
> > >
> > >Frank
> > >
> > >
> > > >From: "Wang, Yuanbo" <[EMAIL PROTECTED]>
> > > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
> > > >To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
> > > >Subject: RE: design security issue
> > > >Date: Tue, 8 Jun 2004 15:32:16 -0500
> > > >
> > > >One comment. Make sure your ActionServlet intercepts all URL patterns
> so
> > > >any HTTP request need to get session validated first.
> > > >
> > > >Yuanbo
> > > >
> > > >-----Original Message-----
> > > >From: Frank Zammetti [mailto:[EMAIL PROTECTED]
> > > >Sent: Tuesday, June 08, 2004 3:34 PM
> > > >To: [EMAIL PROTECTED]
> > > >Subject: RE: design security issue
> > > >
> > > >
> > > >To really do security properly, you really should externalize it
using
> a
> > > >
> > > >product like Netegrity's SiteMinder. That would be my first
> suggestion,
> > > >but
> > > >there is considerable cost in something like that, so it's not right
> for
> > > >
> > > >everyone or every situation.
> > > >
> > > >So, you can do some more minor things within your aop that should
give
> > > >you
> > > >decent results:
> > > >
> > > >(1) Don't do anything within any action unless a valid session is
> found.
> > > >
> > > >This will keep quite a few people out of your app on it's own since
> they
> > > >
> > > >won't be able to just hack together a URL with a query string. I
> > > >accomplish
> > > >this in one app I did by having an ActionHelpers class, and the first
> > > >thing
> > > >any of my Actions do is call a validateSession() static method. If
no
> > > >session is present, forward right then and there to the logon page.
> You
> > > >
> > > >must be careful also that there is one and only one place in your
code
> > > >that
> > > >creates a session, your logon Action most likely.
> > > >
> > > >(2) Make sure your running through SSL. Takes care of packet
sniffing,
> > > >more
> > > >or less.
> > > >
> > > >(3) Encrypt the passwords in your database with a one-way hash
> > > >encryption.
> > > >Makes administration a little bit of a pain (no way to read the
> > > >password),
> > > >but it also makes hacking the system a little tougher.
> > > >
> > > >(4) Have good policies with regard to session timeouts and password
> > > >structure. A 5-minute timeout might be too short depeneding on the
> app,
> > > >but
> > > >it's good security-wise. Make sure you have solid rules for what a
> > > >password
> > > >must look like (i.e., 6-10 characters in length, at least one
> > > >non-alphabetic
> > > >character and one non-alphanumeric character, must be chaged once a
> > > >month,
> > > >etc.).
> > > >
> > > >These are all easy to implement, and will lead to a fairly secure
> > > >system.
> > > >Not perfect, but reasonably secure. Depending on your environment,
it
> > > >might
> > > >be plenty.
> > > >
> > > >Frank
> > > >
> > > > >From: "Zhang, Larry (L.)" <[EMAIL PROTECTED]>
> > > > >Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
> > > > >To: <[EMAIL PROTECTED]>
> > > > >Subject: design security issue
> > > > >Date: Tue, 8 Jun 2004 15:14:36 -0400
> > > > >
> > > > >I have an web application on which the manager can view his manage
> tree
> > > >
> > > > >and
> > > > >select his employee for transactions (such as Perfromance Rating,
> > > >putting
> > > > >on Leave of absence). Definitely it is very vital in this case to
> keep
> > > >the
> > > > >security or make sure one data for one employee is submitted not
for
> > > > >another employee. Another thinking is that if the user come to a
page
> > > >via a
> > > > >bookmark or come to the page without visiting the previous page, we
> > > >should
> > > > >catch this event and disallow the further action. I need to come
up
> > > >some
> > > > >design solutions so that this security is handled elegantly. Any
> ideas?
> > > >If
> > > > >you know some sites discussing this, please let me know.
> > > > >
> > > > >Thanks.
> > > > >
> > > > >Larry Zhang
> > > > >
> > > >
>---------------------------------------------------------------------
> > > > >To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > >For additional commands, e-mail: [EMAIL PROTECTED]
> > > > >
> > > >
> > > >_________________________________________________________________
> > > >Watch the online reality show Mixed Messages with a friend and enter
to
> > > >win
> > > >a trip to NY
> > >
> >http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/
> > > >01/
> > > >
> > > >
> > > >---------------------------------------------------------------------
> > > >To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > >For additional commands, e-mail: [EMAIL PROTECTED]
> > > >
> > > >
> > > >---------------------------------------------------------------------
> > > >To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > >For additional commands, e-mail: [EMAIL PROTECTED]
> > > >
> > >
> > >_________________________________________________________________
> > >Watch the online reality show Mixed Messages with a friend and enter to
> win
> > >a trip to NY
> >
>
>http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/
> > >
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: [EMAIL PROTECTED]
> > >For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: [EMAIL PROTECTED]
> > >For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> >
> > _________________________________________________________________
> > Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ
> > Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
_________________________________________________________________
Getting married? Find great tips, tools and the latest trends at MSN Life Events. http://lifeevents.msn.com/category.aspx?cid=married
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
