You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Paolo <ir...@gmail.com> on 2012/03/02 20:38:26 UTC
Wicket authentication: how to store user?
I use this code as base:
http://wicketstuff.org/wicket14/authentication/
I added registration and user/password sign-in and checking with database, instead of simple "wicket" as user and password.
All works ok, but now I need in AdminPage to known which user is logged in.
How can I implement it?
Is there some Wicket implementation?
Do I need to store user in Session or with cookies or in PageParameters? Is it secure?
Thank you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket authentication: how to store user?
Posted by Dan Retzlaff <dr...@gmail.com>.
I mean that if you accept identifiers of external resources as parameters
(e.g. database primary keys), it is your responsibility to verify that the
authenticated user is authorized to access/modify that external resource.
Frameworks protect session data, but not such external resources.
On Wed, Mar 7, 2012 at 2:33 PM, Paolo <ir...@gmail.com> wrote:
> Alle lunedì 05 marzo 2012, Dan Retzlaff ha scritto:
> > Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
> > supplied with each request. It's not possible for one user to guess
> another
> > user's session ID, so the approach Martin describes is inherently secure.
> Ok, thank you and Martin.
>
> > (Just be careful with your authentication code and form/query parameter
> > validation elsewhere in your app!)
> What do you want mean?
>
> I used this code as base:
> http://wicketstuff.org/wicket14/authentication/
> And I added registration and user/password sign-in and checking with
> database, instead of simple "wicket" as user and password.
> I also used hash SHA (custom mode) to store password in the database.
>
> I am newbie, and I am afraid by Internet Security.
> I collect users data and I don't want that some hacker subtrack from my
> web app sensible data.
>
>
>
> > Dan
> >
> > On Sat, Mar 3, 2012 at 4:40 AM, Paolo <ir...@gmail.com> wrote:
> >
> > > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
> > > > Hi,
> > > >
> > > > Save the logged in user id in the Session.
> > > >
> > > > MySession.java:
> > > >
> > > > private long userId;
> > > >
> > > > public User getUser() {
> > > > return userService.getUserById(userId);
> > > > }
> > > >
> > > >
> > > > AnyPage.java:
> > > > user = MySession.get().getUser();
> > > >
> > > Thank you, for support and explanation code, very useful because I am a
> > > newbie.
> > > Just one another answer: Is it secure?
> > > Can someone alter session data and change user data, so an hacher could
> > > log with own account but operate with other accounts?
> > > Do I need some random code like this
> "hdfds6yh6yhgtruifh4hf4frh9ruehfe" to
> > > store temporanealy in session and database and associate it to a
> specific
> > > user?
> > >
> > > > > I added registration and user/password sign-in and checking with
> > > database, instead of simple "wicket" as user and password.
> > > > > All works ok, but now I need in AdminPage to known which user is
> > > logged in.
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > > For additional commands, e-mail: users-help@wicket.apache.org
> > >
> > >
> >
>
>
Re: Wicket authentication: how to store user?
Posted by Paolo <ir...@gmail.com>.
Alle lunedì 05 marzo 2012, Dan Retzlaff ha scritto:
> Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
> supplied with each request. It's not possible for one user to guess another
> user's session ID, so the approach Martin describes is inherently secure.
Ok, thank you and Martin.
> (Just be careful with your authentication code and form/query parameter
> validation elsewhere in your app!)
What do you want mean?
I used this code as base:
http://wicketstuff.org/wicket14/authentication/
And I added registration and user/password sign-in and checking with database, instead of simple "wicket" as user and password.
I also used hash SHA (custom mode) to store password in the database.
I am newbie, and I am afraid by Internet Security.
I collect users data and I don't want that some hacker subtrack from my web app sensible data.
> Dan
>
> On Sat, Mar 3, 2012 at 4:40 AM, Paolo <ir...@gmail.com> wrote:
>
> > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
> > > Hi,
> > >
> > > Save the logged in user id in the Session.
> > >
> > > MySession.java:
> > >
> > > private long userId;
> > >
> > > public User getUser() {
> > > return userService.getUserById(userId);
> > > }
> > >
> > >
> > > AnyPage.java:
> > > user = MySession.get().getUser();
> > >
> > Thank you, for support and explanation code, very useful because I am a
> > newbie.
> > Just one another answer: Is it secure?
> > Can someone alter session data and change user data, so an hacher could
> > log with own account but operate with other accounts?
> > Do I need some random code like this "hdfds6yh6yhgtruifh4hf4frh9ruehfe" to
> > store temporanealy in session and database and associate it to a specific
> > user?
> >
> > > > I added registration and user/password sign-in and checking with
> > database, instead of simple "wicket" as user and password.
> > > > All works ok, but now I need in AdminPage to known which user is
> > logged in.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
>
Re: Wicket authentication: how to store user?
Posted by Dan Retzlaff <dr...@gmail.com>.
Alec: yes, that's correct by my understanding.
By the way, I don't think Hielke's description of an accidentally
copy-and-pasted URL is a session attack per se. I'm not sure there's an
easy/standard way to protect such a user from himself. :) What
Session#replaceSession() guards against is an attacker initiating a
session, then luring someone into authenticating the session while
retaining access to the (now authenticated) session.
On Mon, Mar 12, 2012 at 11:04 AM, Alec Swan <al...@gmail.com> wrote:
> So, is this the recommended way to authenticate a user?
>
> // verify user password and store user id in the session
> if (user.getPasswordHash().equals(password)) {
> final MyWebSession webSession = MyWebSession.get();
> webSession.setUserName(user.getUserName());
> webSession.replaceSession();
> }
>
> Thanks,
>
> Alec
>
> On Mon, Mar 12, 2012 at 10:48 AM, Dan Retzlaff <dr...@gmail.com>
> wrote:
> > Yes, I agree. Thanks for clarifying. :)
> >
> > On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve <Hielke.Hoeve@topicus.nl
> >wrote:
> >
> >> Dan,
> >>
> >> JSESSIONIDs are not inherently secure. Users can be so dumb as to
> >> copy/paste an url with an JSESSIONID as query parameter and send it to
> >> someone else via email/msn/etc. When that other person clicks the url,
> >> while the first person is logged in, he is logged in as well.
> >> Webapplications should always invalidate the wicket session before
> >> authenticating. (use Session.get().replaceSession() )
> >>
> >> See also: http://www.owasp.org/index.php/Session_Fixation
> >>
> >> Hielke
> >>
> >> -----Original Message-----
> >> From: Dan Retzlaff [mailto:dretzlaff@gmail.com]
> >> Sent: maandag 5 maart 2012 3:53
> >> To: users@wicket.apache.org
> >> Subject: Re: Wicket authentication: how to store user?
> >>
> >> Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
> >> supplied with each request. It's not possible for one user to guess
> another
> >> user's session ID, so the approach Martin describes is inherently
> secure.
> >> (Just be careful with your authentication code and form/query parameter
> >> validation elsewhere in your app!)
> >>
> >> Dan
> >>
> >> On Sat, Mar 3, 2012 at 4:40 AM, Paolo <ir...@gmail.com>
> wrote:
> >>
> >> > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
> >> > > Hi,
> >> > >
> >> > > Save the logged in user id in the Session.
> >> > >
> >> > > MySession.java:
> >> > >
> >> > > private long userId;
> >> > >
> >> > > public User getUser() {
> >> > > return userService.getUserById(userId); }
> >> > >
> >> > >
> >> > > AnyPage.java:
> >> > > user = MySession.get().getUser();
> >> > >
> >> > Thank you, for support and explanation code, very useful because I am
> a
> >> > newbie.
> >> > Just one another answer: Is it secure?
> >> > Can someone alter session data and change user data, so an hacher
> could
> >> > log with own account but operate with other accounts?
> >> > Do I need some random code like this
> "hdfds6yh6yhgtruifh4hf4frh9ruehfe"
> >> to
> >> > store temporanealy in session and database and associate it to a
> specific
> >> > user?
> >> >
> >> > > > I added registration and user/password sign-in and checking with
> >> > database, instead of simple "wicket" as user and password.
> >> > > > All works ok, but now I need in AdminPage to known which user is
> >> > logged in.
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >> > For additional commands, e-mail: users-help@wicket.apache.org
> >> >
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >> For additional commands, e-mail: users-help@wicket.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: Wicket authentication: how to store user?
Posted by Alec Swan <al...@gmail.com>.
So, is this the recommended way to authenticate a user?
// verify user password and store user id in the session
if (user.getPasswordHash().equals(password)) {
final MyWebSession webSession = MyWebSession.get();
webSession.setUserName(user.getUserName());
webSession.replaceSession();
}
Thanks,
Alec
On Mon, Mar 12, 2012 at 10:48 AM, Dan Retzlaff <dr...@gmail.com> wrote:
> Yes, I agree. Thanks for clarifying. :)
>
> On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve <Hi...@topicus.nl>wrote:
>
>> Dan,
>>
>> JSESSIONIDs are not inherently secure. Users can be so dumb as to
>> copy/paste an url with an JSESSIONID as query parameter and send it to
>> someone else via email/msn/etc. When that other person clicks the url,
>> while the first person is logged in, he is logged in as well.
>> Webapplications should always invalidate the wicket session before
>> authenticating. (use Session.get().replaceSession() )
>>
>> See also: http://www.owasp.org/index.php/Session_Fixation
>>
>> Hielke
>>
>> -----Original Message-----
>> From: Dan Retzlaff [mailto:dretzlaff@gmail.com]
>> Sent: maandag 5 maart 2012 3:53
>> To: users@wicket.apache.org
>> Subject: Re: Wicket authentication: how to store user?
>>
>> Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
>> supplied with each request. It's not possible for one user to guess another
>> user's session ID, so the approach Martin describes is inherently secure.
>> (Just be careful with your authentication code and form/query parameter
>> validation elsewhere in your app!)
>>
>> Dan
>>
>> On Sat, Mar 3, 2012 at 4:40 AM, Paolo <ir...@gmail.com> wrote:
>>
>> > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
>> > > Hi,
>> > >
>> > > Save the logged in user id in the Session.
>> > >
>> > > MySession.java:
>> > >
>> > > private long userId;
>> > >
>> > > public User getUser() {
>> > > return userService.getUserById(userId); }
>> > >
>> > >
>> > > AnyPage.java:
>> > > user = MySession.get().getUser();
>> > >
>> > Thank you, for support and explanation code, very useful because I am a
>> > newbie.
>> > Just one another answer: Is it secure?
>> > Can someone alter session data and change user data, so an hacher could
>> > log with own account but operate with other accounts?
>> > Do I need some random code like this "hdfds6yh6yhgtruifh4hf4frh9ruehfe"
>> to
>> > store temporanealy in session and database and associate it to a specific
>> > user?
>> >
>> > > > I added registration and user/password sign-in and checking with
>> > database, instead of simple "wicket" as user and password.
>> > > > All works ok, but now I need in AdminPage to known which user is
>> > logged in.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> > For additional commands, e-mail: users-help@wicket.apache.org
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket authentication: how to store user?
Posted by Dan Retzlaff <dr...@gmail.com>.
Yes, I agree. Thanks for clarifying. :)
On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve <Hi...@topicus.nl>wrote:
> Dan,
>
> JSESSIONIDs are not inherently secure. Users can be so dumb as to
> copy/paste an url with an JSESSIONID as query parameter and send it to
> someone else via email/msn/etc. When that other person clicks the url,
> while the first person is logged in, he is logged in as well.
> Webapplications should always invalidate the wicket session before
> authenticating. (use Session.get().replaceSession() )
>
> See also: http://www.owasp.org/index.php/Session_Fixation
>
> Hielke
>
> -----Original Message-----
> From: Dan Retzlaff [mailto:dretzlaff@gmail.com]
> Sent: maandag 5 maart 2012 3:53
> To: users@wicket.apache.org
> Subject: Re: Wicket authentication: how to store user?
>
> Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
> supplied with each request. It's not possible for one user to guess another
> user's session ID, so the approach Martin describes is inherently secure.
> (Just be careful with your authentication code and form/query parameter
> validation elsewhere in your app!)
>
> Dan
>
> On Sat, Mar 3, 2012 at 4:40 AM, Paolo <ir...@gmail.com> wrote:
>
> > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
> > > Hi,
> > >
> > > Save the logged in user id in the Session.
> > >
> > > MySession.java:
> > >
> > > private long userId;
> > >
> > > public User getUser() {
> > > return userService.getUserById(userId); }
> > >
> > >
> > > AnyPage.java:
> > > user = MySession.get().getUser();
> > >
> > Thank you, for support and explanation code, very useful because I am a
> > newbie.
> > Just one another answer: Is it secure?
> > Can someone alter session data and change user data, so an hacher could
> > log with own account but operate with other accounts?
> > Do I need some random code like this "hdfds6yh6yhgtruifh4hf4frh9ruehfe"
> to
> > store temporanealy in session and database and associate it to a specific
> > user?
> >
> > > > I added registration and user/password sign-in and checking with
> > database, instead of simple "wicket" as user and password.
> > > > All works ok, but now I need in AdminPage to known which user is
> > logged in.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: Wicket authentication: how to store user?
Posted by Dan Retzlaff <dr...@gmail.com>.
As long as your shopping cart state is in your Wicket Session (not the HTTP
session) you should be okay. Session#replaceSession() invalidates the HTTP
session, but immediately binds the Wicket Session object to the new HTTP
session. Happy shopper, unhappy attacker. :)
On Mon, Mar 12, 2012 at 12:23 PM, Thomas Götz <to...@decoded.de> wrote:
> That's not always feasible - in respect to user experience. Just think of
> some order process where e.g. you are asked to log in when doing a
> "checkout" (of your shopping cart).
>
> -Tom
>
>
> Hielke Hoeve wrote:
>
> > Webapplications should always invalidate the wicket session before
> authenticating. (use Session.get().replaceSession() )
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: Wicket authentication: how to store user?
Posted by Thomas Götz <to...@decoded.de>.
That's not always feasible - in respect to user experience. Just think of some order process where e.g. you are asked to log in when doing a "checkout" (of your shopping cart).
-Tom
Hielke Hoeve wrote:
> Webapplications should always invalidate the wicket session before authenticating. (use Session.get().replaceSession() )
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
RE: Wicket authentication: how to store user?
Posted by Hielke Hoeve <Hi...@topicus.nl>.
Dan,
JSESSIONIDs are not inherently secure. Users can be so dumb as to copy/paste an url with an JSESSIONID as query parameter and send it to someone else via email/msn/etc. When that other person clicks the url, while the first person is logged in, he is logged in as well. Webapplications should always invalidate the wicket session before authenticating. (use Session.get().replaceSession() )
See also: http://www.owasp.org/index.php/Session_Fixation
Hielke
-----Original Message-----
From: Dan Retzlaff [mailto:dretzlaff@gmail.com]
Sent: maandag 5 maart 2012 3:53
To: users@wicket.apache.org
Subject: Re: Wicket authentication: how to store user?
Paolo, sessions are accessed with a JSESSIONID cookie or query parameter supplied with each request. It's not possible for one user to guess another user's session ID, so the approach Martin describes is inherently secure.
(Just be careful with your authentication code and form/query parameter validation elsewhere in your app!)
Dan
On Sat, Mar 3, 2012 at 4:40 AM, Paolo <ir...@gmail.com> wrote:
> Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
> > Hi,
> >
> > Save the logged in user id in the Session.
> >
> > MySession.java:
> >
> > private long userId;
> >
> > public User getUser() {
> > return userService.getUserById(userId); }
> >
> >
> > AnyPage.java:
> > user = MySession.get().getUser();
> >
> Thank you, for support and explanation code, very useful because I am a
> newbie.
> Just one another answer: Is it secure?
> Can someone alter session data and change user data, so an hacher could
> log with own account but operate with other accounts?
> Do I need some random code like this "hdfds6yh6yhgtruifh4hf4frh9ruehfe" to
> store temporanealy in session and database and associate it to a specific
> user?
>
> > > I added registration and user/password sign-in and checking with
> database, instead of simple "wicket" as user and password.
> > > All works ok, but now I need in AdminPage to known which user is
> logged in.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket authentication: how to store user?
Posted by Dan Retzlaff <dr...@gmail.com>.
Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
supplied with each request. It's not possible for one user to guess another
user's session ID, so the approach Martin describes is inherently secure.
(Just be careful with your authentication code and form/query parameter
validation elsewhere in your app!)
Dan
On Sat, Mar 3, 2012 at 4:40 AM, Paolo <ir...@gmail.com> wrote:
> Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
> > Hi,
> >
> > Save the logged in user id in the Session.
> >
> > MySession.java:
> >
> > private long userId;
> >
> > public User getUser() {
> > return userService.getUserById(userId);
> > }
> >
> >
> > AnyPage.java:
> > user = MySession.get().getUser();
> >
> Thank you, for support and explanation code, very useful because I am a
> newbie.
> Just one another answer: Is it secure?
> Can someone alter session data and change user data, so an hacher could
> log with own account but operate with other accounts?
> Do I need some random code like this "hdfds6yh6yhgtruifh4hf4frh9ruehfe" to
> store temporanealy in session and database and associate it to a specific
> user?
>
> > > I added registration and user/password sign-in and checking with
> database, instead of simple "wicket" as user and password.
> > > All works ok, but now I need in AdminPage to known which user is
> logged in.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: Wicket authentication: how to store user?
Posted by Paolo <ir...@gmail.com>.
Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
> Hi,
>
> Save the logged in user id in the Session.
>
> MySession.java:
>
> private long userId;
>
> public User getUser() {
> return userService.getUserById(userId);
> }
>
>
> AnyPage.java:
> user = MySession.get().getUser();
>
Thank you, for support and explanation code, very useful because I am a newbie.
Just one another answer: Is it secure?
Can someone alter session data and change user data, so an hacher could log with own account but operate with other accounts?
Do I need some random code like this "hdfds6yh6yhgtruifh4hf4frh9ruehfe" to store temporanealy in session and database and associate it to a specific user?
> > I added registration and user/password sign-in and checking with database, instead of simple "wicket" as user and password.
> > All works ok, but now I need in AdminPage to known which user is logged in.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket authentication: how to store user?
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
Save the logged in user id in the Session.
MySession.java:
private long userId;
public User getUser() {
return userService.getUserById(userId);
}
AnyPage.java:
user = MySession.get().getUser();
On Fri, Mar 2, 2012 at 9:38 PM, Paolo <ir...@gmail.com> wrote:
> I use this code as base:
>
> http://wicketstuff.org/wicket14/authentication/
>
> I added registration and user/password sign-in and checking with database, instead of simple "wicket" as user and password.
> All works ok, but now I need in AdminPage to known which user is logged in.
>
> How can I implement it?
> Is there some Wicket implementation?
> Do I need to store user in Session or with cookies or in PageParameters? Is it secure?
>
> Thank you.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org