You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Kamlesh Koringa <ka...@gmail.com> on 2009/08/08 07:52:06 UTC
Struts - Security
Hi
I am searching for good security frameworks for Struts2.
I have tried for HDIV http://www.hdiv.org. It is good framework but support
up to Struts 2.0.11 not Struts-2.1.6.
So please help me to find any other framework or any other way to solve
security related issues.
My main concorns are.
- URL encryption ( no one can modify generated URL).
- URL authorization.
Thanks
--------------------------
Kamlesh Koringa
RE: Struts - Security
Posted by Martin Gainty <mg...@hotmail.com>.
one way of achieving this is to assign the href attr of anchor to a scoped variable
<%
java.net.URL =new java.net.URL("http://java.sun.com/index.html");
ActionContext.getContext().getSession().put("testUrlId", url);
%>
<s:a href="#session.testUrlId">
anyone else?
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> From: kamleshkoringa@gmail.com
> Date: Sat, 8 Aug 2009 18:37:09 +0530
> Subject: Re: Struts - Security
> To: user@struts.apache.org
>
> Thanks Martin for your reply
>
> I have checked QueryCrypt. It only works with Static URL generated from
> Server side to encrypt Parameters. And I am doubt will it work with Struts2
> tag. For that I have to use scriplet to get All paramters and encrypt it and
> generate encrypted Parameters. If i not wrong <s:a /> will not allow to use
> scriptlet. So I have to use simple html tag for generate URL. Is there any
> other way to do this.
> Thanks
> Kamlesh
> On Sat, Aug 8, 2009 at 5:59 PM, Martin Gainty <mg...@hotmail.com> wrote:
>
> >
> > QueryCryptSessionListener handles authentication
> > http://www.theserverside.com/news/thread.tss?thread_id=36841
> >
> > BASIC URL authorization can be achieved thru predefined roles from
> > tomcat-users
> > http://www.informit.com/articles/article.aspx?p=24600
> >
> > i assume you're using TC?
> > Martin Gainty
> > ______________________________________________
> > Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
> >
> > Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> > Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> > Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> > dient lediglich dem Austausch von Informationen und entfaltet keine
> > rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> > E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
> > Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> > destinataire prévu, nous te demandons avec bonté que pour satisfaire
> > informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> > de ceci est interdite. Ce message sert à l'information seulement et n'aura
> > pas n'importe quel effet légalement obligatoire. Étant donné que les email
> > peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> > aucune responsabilité pour le contenu fourni.
> >
> >
> >
> >
> > > From: kamleshkoringa@gmail.com
> > > Date: Sat, 8 Aug 2009 11:22:06 +0530
> > > Subject: Struts - Security
> > > To: user@struts.apache.org
> > >
> > > Hi
> > > I am searching for good security frameworks for Struts2.
> > > I have tried for HDIV http://www.hdiv.org. It is good framework but
> > support
> > > up to Struts 2.0.11 not Struts-2.1.6.
> > >
> > > So please help me to find any other framework or any other way to solve
> > > security related issues.
> > > My main concorns are.
> > > - URL encryption ( no one can modify generated URL).
> > > - URL authorization.
> > >
> > >
> > >
> > >
> > > Thanks
> > > --------------------------
> > > Kamlesh Koringa
> >
> > _________________________________________________________________
> > Get back to school stuff for them and cashback for you.
> >
> > http://www.bing.com/cashback?form=MSHYCB&publ=WLHMTAG&crea=TEXT_MSHYCB_BackToSchool_Cashback_BTSCashback_1x1
_________________________________________________________________
Get your vacation photos on your phone!
http://windowsliveformobile.com/en-us/photos/default.aspx?&OCID=0809TL-HM
Re: Struts - Security
Posted by Kamlesh Koringa <ka...@gmail.com>.
Thanks Martin for your reply
I have checked QueryCrypt. It only works with Static URL generated from
Server side to encrypt Parameters. And I am doubt will it work with Struts2
tag. For that I have to use scriplet to get All paramters and encrypt it and
generate encrypted Parameters. If i not wrong <s:a /> will not allow to use
scriptlet. So I have to use simple html tag for generate URL. Is there any
other way to do this.
Thanks
Kamlesh
On Sat, Aug 8, 2009 at 5:59 PM, Martin Gainty <mg...@hotmail.com> wrote:
>
> QueryCryptSessionListener handles authentication
> http://www.theserverside.com/news/thread.tss?thread_id=36841
>
> BASIC URL authorization can be achieved thru predefined roles from
> tomcat-users
> http://www.informit.com/articles/article.aspx?p=24600
>
> i assume you're using TC?
> Martin Gainty
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
> > From: kamleshkoringa@gmail.com
> > Date: Sat, 8 Aug 2009 11:22:06 +0530
> > Subject: Struts - Security
> > To: user@struts.apache.org
> >
> > Hi
> > I am searching for good security frameworks for Struts2.
> > I have tried for HDIV http://www.hdiv.org. It is good framework but
> support
> > up to Struts 2.0.11 not Struts-2.1.6.
> >
> > So please help me to find any other framework or any other way to solve
> > security related issues.
> > My main concorns are.
> > - URL encryption ( no one can modify generated URL).
> > - URL authorization.
> >
> >
> >
> >
> > Thanks
> > --------------------------
> > Kamlesh Koringa
>
> _________________________________________________________________
> Get back to school stuff for them and cashback for you.
>
> http://www.bing.com/cashback?form=MSHYCB&publ=WLHMTAG&crea=TEXT_MSHYCB_BackToSchool_Cashback_BTSCashback_1x1
RE: Struts - Security
Posted by Martin Gainty <mg...@hotmail.com>.
QueryCryptSessionListener handles authentication
http://www.theserverside.com/news/thread.tss?thread_id=36841
BASIC URL authorization can be achieved thru predefined roles from tomcat-users
http://www.informit.com/articles/article.aspx?p=24600
i assume you're using TC?
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> From: kamleshkoringa@gmail.com
> Date: Sat, 8 Aug 2009 11:22:06 +0530
> Subject: Struts - Security
> To: user@struts.apache.org
>
> Hi
> I am searching for good security frameworks for Struts2.
> I have tried for HDIV http://www.hdiv.org. It is good framework but support
> up to Struts 2.0.11 not Struts-2.1.6.
>
> So please help me to find any other framework or any other way to solve
> security related issues.
> My main concorns are.
> - URL encryption ( no one can modify generated URL).
> - URL authorization.
>
>
>
>
> Thanks
> --------------------------
> Kamlesh Koringa
_________________________________________________________________
Get back to school stuff for them and cashback for you.
http://www.bing.com/cashback?form=MSHYCB&publ=WLHMTAG&crea=TEXT_MSHYCB_BackToSchool_Cashback_BTSCashback_1x1
RE: Struts - Security
Posted by Security Management <li...@secmgmt.com>.
Ditto on Spring Security, very nice for URL auth.
-----Original Message-----
From: Dale Newfield [mailto:dale@newfield.org]
Sent: Saturday, August 08, 2009 12:02 PM
To: Struts Users Mailing List
Subject: Re: Struts - Security
Kamlesh Koringa wrote:
> - URL encryption (no one can modify generated URL).
Impossible. You cannot prevent people from requesting URLs your system
does not present to them. You should assume that any parameter that you
accept from a user can be manipulated at will by that user. You can
jump through hoops to make valid alternate values difficult to guess,
but that's it. You should always check the inputs and make sure that
the requested action is a valid one for that user before allowing the
requested action to continue.
> - URL authorization.
"Spring Security" formerly known as acegi.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Struts - Security
Posted by Martin Gainty <mg...@hotmail.com>.
looks like you might want to code your own logic to scan for those
manipulated URL params..like the URL which contains the dreaded /WEB-INF
(and as dale suggested scan URLs to reference known .action)
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Date: Sat, 8 Aug 2009 12:01:39 -0400
> From: dale@newfield.org
> To: user@struts.apache.org
> Subject: Re: Struts - Security
>
> Kamlesh Koringa wrote:
> > - URL encryption (no one can modify generated URL).
>
> Impossible. You cannot prevent people from requesting URLs your system
> does not present to them. You should assume that any parameter that you
> accept from a user can be manipulated at will by that user. You can
> jump through hoops to make valid alternate values difficult to guess,
> but that's it. You should always check the inputs and make sure that
> the requested action is a valid one for that user before allowing the
> requested action to continue.
>
> > - URL authorization.
>
> "Spring Security" formerly known as acegi.
>
> -Dale
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
_________________________________________________________________
Get your vacation photos on your phone!
http://windowsliveformobile.com/en-us/photos/default.aspx?&OCID=0809TL-HM
Re: Struts - Security
Posted by Dale Newfield <da...@newfield.org>.
Kamlesh Koringa wrote:
> - URL encryption (no one can modify generated URL).
Impossible. You cannot prevent people from requesting URLs your system
does not present to them. You should assume that any parameter that you
accept from a user can be manipulated at will by that user. You can
jump through hoops to make valid alternate values difficult to guess,
but that's it. You should always check the inputs and make sure that
the requested action is a valid one for that user before allowing the
requested action to continue.
> - URL authorization.
"Spring Security" formerly known as acegi.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org