You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by pr...@wipro.com on 2007/01/19 14:57:47 UTC
[SS] Stuck with Security related issues
Hi All,
I am stuck with 2 problems
Problem 1
In my web-application (developed on struts and hibernate)I have 2
modules
User Module
http://localhost:8080/SaS/Login.do
Admin Module
http://localhost:8080/SaS/Login.do
Depending on the login credentials the respective GUI are displayed.
My problem is that the Action and Form classes that are being used for
both the modules are common
So depending on the param in the request different result will appear
for a call like this
http://localhost:8080/SaS/SearchService.do
So if I am accessing the admin module in one browser window and user
module in another and I copy paste the URL part only
"SaS/SearchService.do" to the user module URL the user can view the
result which admin is only suppose to view.
Is there any way to resolve this?
Problem 2
I want to restrict direct access to some of my action classes eg if I
have following action classes
1) Login.do
2) RegisterUser.do
3) SearchUser.do
4) Service.do
Then only Login.do should be directly accessible i.e
http://localhost:8080/SaS/Login.do should work
But if someone does http://localhost:8080/SaS/RegisterUser.do this
should not work. It should throw "UnAutorized Access" Error
Any suggestion?
Thanks
Prerna
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
Re: [SS] Stuck with Security related issues
Posted by Nuwan Chandrasoma <my...@gmail.com>.
Hi,
Problem 1:
When a user login to the application, keep track of want kind of a user has
loged in, for example have a User object created and put the session, and in
every request you can check what kind of a user has loged in restrict other
actions that is not allowed for that user for this you can have a
ServletFilter and map all your action mappings and do the checking on that
filter.
Problem 2:
For this also you can use a ServletFilter and some flag in the session and
do kind of checking and restrict specified action mappings.
I don't think this is the only solution for this there may be lot, hope this
would have helped you a little bit.
Thanks,
Nuwan.
----- Original Message -----
From: <pr...@wipro.com>
To: <us...@struts.apache.org>
Sent: Friday, January 19, 2007 1:57 PM
Subject: [SS] Stuck with Security related issues
Hi All,
I am stuck with 2 problems
Problem 1
In my web-application (developed on struts and hibernate)I have 2
modules
User Module
http://localhost:8080/SaS/Login.do
Admin Module
http://localhost:8080/SaS/Login.do
Depending on the login credentials the respective GUI are displayed.
My problem is that the Action and Form classes that are being used for
both the modules are common
So depending on the param in the request different result will appear
for a call like this
http://localhost:8080/SaS/SearchService.do
So if I am accessing the admin module in one browser window and user
module in another and I copy paste the URL part only
"SaS/SearchService.do" to the user module URL the user can view the
result which admin is only suppose to view.
Is there any way to resolve this?
Problem 2
I want to restrict direct access to some of my action classes eg if I
have following action classes
1) Login.do
2) RegisterUser.do
3) SearchUser.do
4) Service.do
Then only Login.do should be directly accessible i.e
http://localhost:8080/SaS/Login.do should work
But if someone does http://localhost:8080/SaS/RegisterUser.do this
should not work. It should throw "UnAutorized Access" Error
Any suggestion?
Thanks
Prerna
The information contained in this electronic message and any attachments to
this message are intended for the exclusive use of the addressee(s) and may
contain proprietary, confidential or privileged information. If you are not
the intended recipient, you should not disseminate, distribute or copy this
e-mail. Please notify the sender immediately and destroy all copies of this
message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should
check this email and any attachments for the presence of viruses. The
company accepts no liability for any damage caused by any virus transmitted
by this email.
www.wipro.com
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org