I don't think storing the id in the session is going to prevent users from guessing another object's id and deleting it. I'd suggest using Acegi and it's powers to create a read-only view for those folks that can't edit an object, or (even better) use ACLs to control permissions on a per-object basis.
http://acegisecurity.org/docbook/acegi.html#domain-acls IMHO, I think the use-case described in the tutorial is more common than applications that require ACL-support. We've been doing the same tutorials for almost 4 years now and haven't had too many complaints. The basic goal of the tutorials is to give you a foundation to build on - what you do after that is up to you. One thing that's different about AppFuse from other web frameworks is we are all building somewhat similar applications (at least from a security perspective). I'd like to encourage users to discuss the kind of applications they're building - it should would be nice if we could have some additional tutorials to show how to build shopping carts, image galleries and other such things that might be used in applications. Matt On 3/9/07, wnqq <[EMAIL PROTECTED]> wrote:
Sorry that I might mislead you... Let me explain it in more details... "Person" can easily mislead us to think of "User", so let me use "Car" instead for the following discussions. As far as I know, the code generated by AppGen (and the upcoming AMP) follows the tutorial. That means, by providing an id of an Car, we can edit or delete any Car as long as the id exists in the database. Well, the current tutorial does allow a User to be able to edit ALL or NONE of Cars. However, for a practical application, a User is allowed to control only a certain number of Cars. In that practical case, using id is not enough to restrict Users to access unauthorized Cars. For example, assuming there are total of 100 Car records in the database. Assuming 3 Cars belong to me, and I am allowed to do a filtered search (select from car where owner = 'myname') and then edit the returned list. Practically, I should not be able to edit the other 97 Cars. However, I can simply access url=/editCar.html?id=99 and then change the owner of Car (id=99) to be myself. So I can easily get one more car without paying any money. :) That's the security issue I was talking about. There are several ways to prevent it: (1) one is storing id in the session instead of showing it on the web page. (2) another one is implementing an authorization mechanism which is similar to what is applied to User. (3) etc mraible wrote: > > On 3/9/07, wnqq <[EMAIL PROTECTED]> wrote: >> >> In the Struts2 tutorial page: >> http://appfuse.org/display/APF/Using+Struts+2 >> It shows how to use Struts2 to write CRUD for the entity "Person". >> >> Because it use the id (the PK of Person) that is shown on the web page to >> identity which record of person to use, it apparently causes a serious >> security issue. > > Why? I've been developing webapps this way for several years w/o any > issues. > >> >> I made a few changes to remove the id from the jsp pages and instead >> store >> it in the HttpSession. >> What I changes include: >> - PersonAction/Test, >> - web-tests.xml, >> - personList.jsp, etc. > > Doesn't sound very scalable to me. I think you're a bit too paranoid. ;-) > > Matt > >> >> If, in the future, you would like to update the tutorial as not showing >> id >> on the web, please let me know and it will be my pleasure to upload my >> code >> for your references. >> -- >> View this message in context: >> http://www.nabble.com/hide-id-of-person-from-the-web-pages-tf3376792s2369.html#a9398113 >> Sent from the AppFuse - User mailing list archive at Nabble.com. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > -- > http://raibledesigns.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/hide-id-of-person-from-the-web-pages-tf3376792s2369.html#a9400005 Sent from the AppFuse - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- http://raibledesigns.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
