You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by pr...@wipro.com on 2007/01/19 14:57:47 UTC

[SS] Stuck with Security related issues

Hi All,

 

I am stuck with 2 problems

 

Problem 1

In my web-application (developed on struts and hibernate)I have 2
modules

 

User Module

 

            http://localhost:8080/SaS/Login.do

 

Admin Module

http://localhost:8080/SaS/Login.do

 

Depending on the login credentials the respective GUI are displayed.

 

My problem is that the Action and Form classes that are being used for
both the modules are common

 

So depending on the param in the request different result will appear
for a call like this

 

http://localhost:8080/SaS/SearchService.do

 

 

So if I am accessing the admin module in one browser window and user
module in another and I copy paste the URL part only
"SaS/SearchService.do"  to the user module URL the user can view the
result which admin is only suppose to view.

 

Is there any way to resolve this?

 

Problem 2

 

I want to restrict direct access to some of my action classes eg if I
have following action classes

 

1)       Login.do

2)       RegisterUser.do

3)       SearchUser.do

4)       Service.do

 

Then only Login.do should be directly accessible i.e
http://localhost:8080/SaS/Login.do should work

 

But if someone does http://localhost:8080/SaS/RegisterUser.do  this
should not work. It should throw "UnAutorized Access" Error

 

Any suggestion?

 

Thanks 

Prerna

 

 




The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
 
www.wipro.com

Re: [SS] Stuck with Security related issues

Posted by Nuwan Chandrasoma <my...@gmail.com>.

Hi,

Problem 1:

When a user login to the application, keep track of want kind of a user has 
loged in, for example have a User object created and put the session, and in 
every request you can check what kind of a user has loged in restrict other 
actions that is not allowed for that user for this you can have a 
ServletFilter and map all your action mappings and do the checking on that 
filter.

Problem 2:

For this also you can use a ServletFilter and some flag in the session and 
do kind of checking and restrict specified action mappings.

I don't think this is the only solution for this there may be lot, hope this 
would have helped you a little bit.


Thanks,

Nuwan.


----- Original Message ----- 
From: <pr...@wipro.com>
To: <us...@struts.apache.org>
Sent: Friday, January 19, 2007 1:57 PM
Subject: [SS] Stuck with Security related issues



Hi All,



I am stuck with 2 problems



Problem 1

In my web-application (developed on struts and hibernate)I have 2
modules



User Module



            http://localhost:8080/SaS/Login.do



Admin Module

http://localhost:8080/SaS/Login.do



Depending on the login credentials the respective GUI are displayed.



My problem is that the Action and Form classes that are being used for
both the modules are common



So depending on the param in the request different result will appear
for a call like this



http://localhost:8080/SaS/SearchService.do





So if I am accessing the admin module in one browser window and user
module in another and I copy paste the URL part only
"SaS/SearchService.do"  to the user module URL the user can view the
result which admin is only suppose to view.



Is there any way to resolve this?



Problem 2



I want to restrict direct access to some of my action classes eg if I
have following action classes



1)       Login.do

2)       RegisterUser.do

3)       SearchUser.do

4)       Service.do



Then only Login.do should be directly accessible i.e
http://localhost:8080/SaS/Login.do should work



But if someone does http://localhost:8080/SaS/RegisterUser.do  this
should not work. It should throw "UnAutorized Access" Error



Any suggestion?



Thanks

Prerna








The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not 
the intended recipient, you should not disseminate, distribute or copy this 
e-mail. Please notify the sender immediately and destroy all copies of this 
message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should 
check this email and any attachments for the presence of viruses. The 
company accepts no liability for any damage caused by any virus transmitted 
by this email.

www.wipro.com 


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org