before write the question sorry for my english. My question is this:
I have an web application in jsf, the application have new, edit and delete Categories, outgoings, Budgets, users, etc.
When open the edit page i have the url like this:
http://localhost:8080/Practica3/faces/usuarios/edit.xhtml?id=2
the problem is if the user change the number 2 for another number, and the another number exists in the dababase, the page change the data of the id 2 to the data of the new id.
The problem is if the id number X is of a data of another user, and the user that change the id is not in conditions to see that data.
How disable the edit of the id, or denied to show the data to the another user?
Thanks, and i hope have a response.
Just check in service layer if the current user is allowed to edit the requested entity. If not, then throw some security exception for which you could if necessary configure a custom error page in web.xml.
The technical problem has nothing to do with HTTP/JSF. If you "fix" it alone in JSF side, then you still have a gaping security hole in service layer which would affect any other frontend using it. The frontend is not responsible for business restrictions in service layer itself.
The problem is not stopping the editing of the ID. That is on the client side/browser and you cannot stop this value from being edited.
You need to implement propery Access Security Controls. When you get any response back, you need to check if the user can perform the action they specified (read, update, delete, etc.) as well as checking to make sure they have permission to the data they want to perform the action on.
These two topics are on the OWASP Top 10:
A4-Insecure Direct Object References
A7-Missing Function Level Access Control
The pages will tell you what the problem is, mitigation stragegies, and different ways of testing for that in your application.
I would also become familiar with the other Top 10 categories (this is not an all inclusive list but a good starting point).
Related
Does IBM Domino track the last login date for web users(UserName/Password and internet certificate)? I know the access logs contains this information but wanted to know if there may be something built into Domino (maybe in Address Book). Trying to come up with a method to disable web accounts that have not accessed a domino server in a specified time period.
Thanks,
Kev
The User Activity area in the Database Properties picks up from the log.nsf, which is where this information is stored. But, typically, the log.nsf will only have a few days' worth of information. When I've had this requirement before, I've manually captured it via a custom login page or an initUser function I've had in applications.
One of the easiest solutions is to trigger an action from a live web page that generates a database.nsf?openagent event.
like:
or
Ideally you've use the openagent to print a content type and a response, but if you don't browsers do pretty well with invalid responses from servers.
inside your "myagent" you will have the users name available to you to write it to a document.
Your next challenge will be in getting the agent to trigger, but, not too often, ideally only on login.
When a user uses a custom login form it submits the username/password and redirection url in POST method. You could change that to ...?openagent&nexturl=/blablabla.nsf
Your tiny little agent would run one and only one time upon login and update a document in a your custom logging database.
That's a developer's solution.
There are also admin solutions. The server does keep track of active web sessions, but, it does not drop them into the log.nsf like it does upon session ending for a notes session. I don't think it would be too much work from an admin standpoint to get that information there are a lot of event triggers available to you. It's just been way too long since I worked on any server that anyone cared about statistics.
The first thing that I must say is that I never use a web filter on Java Web Applications so perhaps it could be a stupid idea.
I'm trying to create a method that could check the privilegies of the user and give the access or not to a certains pages if he can or not access to these pages.
For a better explanation I will do an example.
You should imagine a crud web application ok?
This application have these web pages: List.xhtml (that contains all rows and the links to manage these rows); create.xhtml (as the name tell it is used for create a new row); edit.xhtml (used for modify a row); and view.xhtml (used for view the details of a certain row).
Now I have 2 types of user: administrator and guest ok? The privilegies are simple to imagine, the administrator can do all things and guest can only view the details of the rows.
Which is the problem? The problem is that I hide the links for create and modify a row but if a guest modify the url can enter however into create.xhtml and edit.xhtml and create/modify a row...
I read some others question like:
Securing JSF applications and jsf security-contraint to protect link when the user is not signed in?
and I wrote this question:
Are there some issue at inserting some check into template?
and now I'd like to create a generic method to implement the check of privileges. I have the following ideas on how to solve this:
create a filter like the one in the second linked question and insert a check like "if the user has this privilege for that action do ... otherwise redirect to error.xhtml".
insert a check directly into the template, like in the third linked question.
Which of these would be the better approach? How is this typically done?
using php if that matters.
If you create a website that has users and groups. Where do you put this in the web application? Do you just put a function at the top of every page (pseudo):
if someone is in a group then they can see this page
or
if someone is in this group they can see this button
That sure seems wrong. I wouldn't want to edit the web app code just to change who can see what group-wise. I'm not sure what I should do or how to implement something like this.
Thanks.
In MySQL, I always create these 4 tables: users, user_groups, permissions and user_groups_permissions which are linked using Foreign Keys.
So, user A can be in a user group B, which this user group permissions are in user_groups_permissions.
Now, I just do a INNER JOIN on this 4 tables (or better, three: users, user_groups_permissions and permissions), the results are permissions that user have. all we need is selecting permissions.key by INNER JOIN.
Now, before processing request, I need to check that Client::has_permissin('send_post') returns true or not. And better, also on top of each user-group-related function.
Note: Client is a class that loads all user permissions just one time, before processing request, and then uses that permissions for whole request-life-time, without needing to access to database several times in that request. Use static methods and $permissions property for this class so you never need to send it's object over your applications classes/methods/functions :)
You can have a utility function which takes user id and group code and return true or false.
You can use that utility function as pseudo at the top of each page and the same function also be used to hide or show sections in your page.
If your web application is in MVC, embed user authorization logic in your controller.
The administrator of the web application I am working on, asks for a 'I wanna know everything' log. He wants to track all what the other users did when they were connected (logged in) to the web app :
What pages he/she visited.
What actions he/she performed.
On what entities (JPA Entities) he/she performed actions.
At what exact time she/he performed a given action if successful.
What attribute of the a given record he/she modified.
The user principals of this user.
All I could do now, is export a CSV file where the administrator finds the user principals, the time this user logged in and logged out.
I also created an example history table in database populated by EclipseLink Customizer to track changes for a corresponding table. (The problem with this EclipseLink customizer is that it is not flexible, because database tables are changing with time (adding/removing attributes) and so are their corresponding entities. And the user does not want to modify things two times (one time in the main table and the second time in the history table)!
Could something like a third library 'log4j' do that?
Is there any alternatives, solutions, or better practices related to my issu!?
Best regards.
Look into Interceptors/Listeners - both for JSF to get page/action and JPA to get data accessed. In your interceptors/listener you could then log to file using log4j.
EclipseLink Listeners
Hibernate Interceptors (for comparison)
JSF Listeners
It is a well known problem to every web developer. As far as I tried to find a good solution to this problem - there was none (or at least I could not find it).
Lets assume the following:
The user does not behave, as he was expected to. The actual project I'm working in uses a navigation within the web portal. But if the user uses the browser's back button, the whole thing becomes jeoprady[?] and the result was not always predictable.
We used the struts framework and stored the back-url into forms - at some places, where we needed a back-url - this has been rendered out of this form's back-url. For there was only a singe field for this information and therefore it was not possible of going back multiple steps.
When you change the "struts-flow" - which may result in using a different form - this information will be lost.
If the user dares to put a bookmark somewhere within your webapp - this information may never have been set and again the result will again be either unpredictable or not flexible enough!
My "solution":
I was storing every navigation-relevant page the user visited onto a stack-like storage into the session. This means a navigation-path is collected and stored for later navigations.
At any page within the webapp, where back-navigations are involved I used a self-made tag which renders the stack-content into the url.
And thats it.
When this back-url was clicked, the stack has been filled with the content from the back-url clicked by the user (which holds all information from the stack once the back-link was rendered).
This is quite clear, because a click on a link is a clear state, where the web developer exactly knows, where the user "is" a this very moment - absolutely independant from whatever the user did before (e.g. hitting the browser back button multiple times). Then the navigation stack is built upon this new state.
Resumé:
It becomes clear, that this won't be the best solution. But it allows storing additional information on the stack like page parameters and some other useful stuff (further developments possible).
So, what were your solutions to this problem?
cheers,
mana
The stack solution sounds interesting, but it will probably break if the user chooses to navigate "in parallel" on different tabs or using bookmarks.
I'm afraid I don't really understand why you have to keep all this state for each user: ideally the web should follow the REST principle and be completely stateless. Therefore a single URL should identify a single resource, without having to keep the navigation history of each user.
If your web app relies heavily on AJAX, you could try to implement something like GMail (admittedly, not so easy...), where each change in the interface is reflected in a change in the page URL. Therefore each page is identified by the current URL and the user can navigate concurrently or use the back button as usual.