You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Thorsten Schäfer <Un...@ThorstenSchaefer.de> on 2007/02/01 07:45:35 UTC
RE: [S2] User authentication best practice (2nd time...)
Ahh,
I had a similar question a couple of days before. If you request the
data from a DB, you may change your query, e.g.,
SELECT * from picture where id=:id and userId=:userId
to ensure that you may only see your photos. In our implementation, we
kept the database queries and always retrived the business object, but
then compared the business objects' user to the user logged in (and
throw an Exception if they are not equal).
HTH,
Thorsten
> -----Original Message-----
> From: Sébastien LABEY [mailto:sebastien.labey@gmail.com]
> Sent: Wednesday, January 31, 2007 8:57 PM
> To: Struts Users Mailing List
> Subject: Re: [S2] User authentication best practice (2nd time...)
>
> Thanks for your answer.
> Maybe I'm not very clear (sorry for my english). Let's imagine the
> following
> request to access the page to update the user informations :
> /myApp/userPrepareUpdate.action?id=1234
> Anyone can modify the request and change 1234 to any other id and so
> access
> to the informations of another user. That's why I have to check that
the
> parameter "id" passed in the request has the same value than the "id"
in
> the
> user object stored in session.
> That can be the same for the page that redirects to any other object
of
> the
> application that does not belong to the user (imagine photo
gallery)...
> So did I miss something? I'm sure yes...
>
> Sebastien
>
>
>
> On 1/31/07, Thorsten Schäfer <Un...@thorstenschaefer.de> wrote:
> >
> > Hi,
> >
> > Why do you care about the information in the request? Typically, you
> > have a login page and the corresponding action stores the user
object
> > into the session. In all subsequent requests, you can check the user
> > object in the session to determine which user did log in. This works
for
> > S1, but I'd think that it's the same in S2.
> >
> > Cheers,
> >
> > Thorsten
> >
> > > -----Original Message-----
> > > From: Sébastien LABEY [mailto:sebastien.labey@gmail.com]
> > > Sent: Wednesday, January 31, 2007 8:22 PM
> > > To: Struts mailing list
> > > Subject: [S2] User authentication best practice (2nd time...)
> > >
> > > Hi all (sorry for the previous unterminated mail),
> > >
> > > I would like to know if S2 provides a solution to manage user
> > > authentication.
> > > I also would like to know if someone could lead me to best
practice
> > for
> > > user
> > > creation / authentication to a web application. I'm worried about
> > security
> > > after the user has logged in, because of the parameters that
appear in
> > the
> > > request. For example, the request that leads to user informations
> > > modification shows the id of this user in the request, so I've to
> > control
> > > that the user id in the request is the same than the one in
session
> > (in
> > > the
> > > user object stored in session after login).
> > > Do you have some best practices to help me...?
> > >
> > > thanks in advance
> > >
> > > Sebastien
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [S2] User authentication best practice (2nd time...)
Posted by Sébastien LABEY <se...@gmail.com>.
Thank you all.
That's what I was prepared to do. But because I don't know very much about
security, I was wondering if there any risk to let parameters visible in the
request. I will follow your solution Thorsten.
But if anyone has more advices, they should always be helpful !
Thanks.
Sebastien
On 2/1/07, Thorsten Schäfer <Un...@thorstenschaefer.de> wrote:
>
> Ahh,
>
> I had a similar question a couple of days before. If you request the
> data from a DB, you may change your query, e.g.,
> SELECT * from picture where id=:id and userId=:userId
> to ensure that you may only see your photos. In our implementation, we
> kept the database queries and always retrived the business object, but
> then compared the business objects' user to the user logged in (and
> throw an Exception if they are not equal).
>
> HTH,
>
> Thorsten
>
> > -----Original Message-----
> > From: Sébastien LABEY [mailto:sebastien.labey@gmail.com]
> > Sent: Wednesday, January 31, 2007 8:57 PM
> > To: Struts Users Mailing List
> > Subject: Re: [S2] User authentication best practice (2nd time...)
> >
> > Thanks for your answer.
> > Maybe I'm not very clear (sorry for my english). Let's imagine the
> > following
> > request to access the page to update the user informations :
> > /myApp/userPrepareUpdate.action?id=1234
> > Anyone can modify the request and change 1234 to any other id and so
> > access
> > to the informations of another user. That's why I have to check that
> the
> > parameter "id" passed in the request has the same value than the "id"
> in
> > the
> > user object stored in session.
> > That can be the same for the page that redirects to any other object
> of
> > the
> > application that does not belong to the user (imagine photo
> gallery)...
> > So did I miss something? I'm sure yes...
> >
> > Sebastien
> >
> >
> >
> > On 1/31/07, Thorsten Schäfer <Un...@thorstenschaefer.de> wrote:
> > >
> > > Hi,
> > >
> > > Why do you care about the information in the request? Typically, you
> > > have a login page and the corresponding action stores the user
> object
> > > into the session. In all subsequent requests, you can check the user
> > > object in the session to determine which user did log in. This works
> for
> > > S1, but I'd think that it's the same in S2.
> > >
> > > Cheers,
> > >
> > > Thorsten
> > >
> > > > -----Original Message-----
> > > > From: Sébastien LABEY [mailto:sebastien.labey@gmail.com]
> > > > Sent: Wednesday, January 31, 2007 8:22 PM
> > > > To: Struts mailing list
> > > > Subject: [S2] User authentication best practice (2nd time...)
> > > >
> > > > Hi all (sorry for the previous unterminated mail),
> > > >
> > > > I would like to know if S2 provides a solution to manage user
> > > > authentication.
> > > > I also would like to know if someone could lead me to best
> practice
> > > for
> > > > user
> > > > creation / authentication to a web application. I'm worried about
> > > security
> > > > after the user has logged in, because of the parameters that
> appear in
> > > the
> > > > request. For example, the request that leads to user informations
> > > > modification shows the id of this user in the request, so I've to
> > > control
> > > > that the user id in the request is the same than the one in
> session
> > > (in
> > > > the
> > > > user object stored in session after login).
> > > > Do you have some best practices to help me...?
> > > >
> > > > thanks in advance
> > > >
> > > > Sebastien
> > >
> > >
> > >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > > For additional commands, e-mail: user-help@struts.apache.org
> > >
> > >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>