I have been asking this question on security.stackexchange.com [1] and stackoverflow.com [2] but I am still not sure how I can do what I want.
I am having an "Admin-Tool". Every logged in user is an admin (
StoreOwner) that owns
Stores.
If I have two users admin1 and admin2 where admin1 owns store1 and admin2 owns store2, nothing could stop admin1 from sending storeId=2 instead of storeId=1 to the server and e.g. try to delete an item from store2 even though he does not own it.
This is why I have to do this check:
Code:
if(item.getStore().getId() == store.getId()) {
/* DELETE ITEM */
} else {
/* NOT ALLOWED - THROW EXCEPTION */
}
each and every time. But that is dangerous imho because a programmer might forget that thing once in a while and it isn't always obvious that one has to do that.
What I was told is that Spring Security might help me here but this does just prevent users from accessing private areas that need e.h. admin rights compare to a non-admin user. It does not however help me with the issue I described - at least as far as I can tell.
I know that Hibernate has filters - though I have never used them. I am not sure if they are intended to do something like that but could I use it to restrict
every access to a store by something like:
Code:
// PSEUDO CODE
@Entity
@ThrowSecurityExceptionOn(storeOwner.id != store.storeOwner.id)
public class Store {
@Id Long id;
// ..
}
Here is a "full example" of what I am talking about. The following would delete an
Item of the
Store but I always have to check programmatically if the
Item is from a
Store that the
StoreOwner in fact owns.
Code:
// StoreService.java
@Transactional
public ItemDTO deleteItem(String sessionId, Long storeId, ItemDTO itemDto) {
// sessionId is the cookie I have placed in my database
// This way I want to ensure that I am only accessing a store
// that is associated with the logged in store owner (the user basically)
Store store = this.storeOwnerRepository.getStore(sessionId, storeId);
Item item = ConvertDTO.convertItem(store, itemDto);
// THIS CHECK IS WHAT I WANT TO GET RID OF:
// Check if the store ID that I got using the cookie is the
// same ID as the store ID from the item that should be deleted
if(item.getStore().getId() == store.getId()) {
item = this.storeOwnerRepository.deleteItem(item);
} else {
// If this didn't work we have a potentially hostile user:
throw new RuntimeException("Is somebody trying to delete items from a store he doesn't own?");
}
itemDto = ConvertEntity.convertItem(item);
return itemDto;
}
What would be the best way to get rid of such checks? I don't want to use Hibernate Filters if they weren't invented for this purpose. I would love to use Spring Security but it seems that it is not capable to help me here.
Can somebody help me through this?
Thank you and best regards,
Stefan.
[1] http://security.stackexchange.com/questions/99941/how-do-i-prevent-users-from-modifying-resources-they-do-not-own
[2] http://stackoverflow.com/questions/32657381/should-i-use-spring-secutiry-hibernate-or-hibernate-filters-for-access-control
Login
FAQ
Search