-->
These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

All times are UTC - 5 hours [ DST ]



Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message
 Post subject: Prevent users from modifying resources they do not own.
PostPosted: Fri Sep 18, 2015 2:11 pm 
Newbie

Joined: Wed Jul 29, 2015 12:49 pm
Posts: 3
I have been asking this question on security.stackexchange.com [1] and stackoverflow.com [2] but I am still not sure how I can do what I want.

I am having an "Admin-Tool". Every logged in user is an admin (StoreOwner) that owns Stores.

If I have two users admin1 and admin2 where admin1 owns store1 and admin2 owns store2, nothing could stop admin1 from sending storeId=2 instead of storeId=1 to the server and e.g. try to delete an item from store2 even though he does not own it.

This is why I have to do this check:

Code:
if(item.getStore().getId() == store.getId()) {
  /* DELETE ITEM */
} else {
  /* NOT ALLOWED - THROW EXCEPTION */
}


each and every time. But that is dangerous imho because a programmer might forget that thing once in a while and it isn't always obvious that one has to do that.

What I was told is that Spring Security might help me here but this does just prevent users from accessing private areas that need e.h. admin rights compare to a non-admin user. It does not however help me with the issue I described - at least as far as I can tell.

I know that Hibernate has filters - though I have never used them. I am not sure if they are intended to do something like that but could I use it to restrict every access to a store by something like:


Code:
// PSEUDO CODE

@Entity
@ThrowSecurityExceptionOn(storeOwner.id != store.storeOwner.id)
public class Store {

  @Id Long id;
  // ..
}


Here is a "full example" of what I am talking about. The following would delete an Item of the Store but I always have to check programmatically if the Item is from a Store that the StoreOwner in fact owns.

Code:
// StoreService.java

@Transactional
public ItemDTO deleteItem(String sessionId, Long storeId, ItemDTO itemDto) {

    // sessionId is the cookie I have placed in my database
    // This way I want to ensure that I am only accessing a store
    // that is associated with the logged in store owner (the user basically)
    Store store = this.storeOwnerRepository.getStore(sessionId, storeId);

    Item item = ConvertDTO.convertItem(store, itemDto);

    // THIS CHECK IS WHAT I WANT TO GET RID OF:
    // Check if the store ID that I got using the cookie is the
    // same ID as the store ID from the item that should be deleted
    if(item.getStore().getId() == store.getId()) {
        item = this.storeOwnerRepository.deleteItem(item);
    } else {
        // If this didn't work we have a potentially hostile user:
        throw new RuntimeException("Is somebody trying to delete items from a store he doesn't own?");
    }

    itemDto = ConvertEntity.convertItem(item);
    return itemDto;
}


What would be the best way to get rid of such checks? I don't want to use Hibernate Filters if they weren't invented for this purpose. I would love to use Spring Security but it seems that it is not capable to help me here.

Can somebody help me through this?

Thank you and best regards,
Stefan.

[1] http://security.stackexchange.com/questions/99941/how-do-i-prevent-users-from-modifying-resources-they-do-not-own
[2] http://stackoverflow.com/questions/32657381/should-i-use-spring-secutiry-hibernate-or-hibernate-filters-for-access-control


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

All times are UTC - 5 hours [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.