-->
These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

All times are UTC - 5 hours [ DST ]



Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 
Author Message
 Post subject: Hibernate && Web Application
PostPosted: Thu Jul 14, 2005 10:18 am 
Beginner
Beginner

Joined: Thu Jul 14, 2005 10:11 am
Posts: 32
Well... i need to ask you something!!. I'm not having a bug... nor an exception. I need to know the following:

i'm developing a web application with WebWork & Hibernate (3.0.2) for an university project. Suppose you have Cat objects, with ID and Name. When your user wants to modify a Cat, well, you search the cat by its ID and retrieve it on screen. But...

where do you maintain the ID of the cat that's being updated ??. It's obviously NOT secure to store it as hidden inside the update form... how should i handle it ?? create an hibernate Session per user, and store it in the JSP session ??. How would you solve it ?

THANKS for your time!!!!!


Jorge L. Perez


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jul 14, 2005 3:26 pm 
Senior
Senior

Joined: Wed Jul 13, 2005 4:31 pm
Posts: 142
Location: Seattle, WA
not secure to show it...why...
because someone can put in a different id, and send it back to the server...and hence try and update something that they don't have rights to.

I would make sure it's secure...by storing the user in the session, and then checking that the user has rights to modify the object that they are trying to modify on the server.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jul 14, 2005 4:19 pm 
Beginner
Beginner

Joined: Thu Jul 14, 2005 10:11 am
Posts: 32
exactly. Not secure because an user can change the ID and... update objects that isn't supposed to touch.

Ok... one solution is that one... check if he has permission to change that. But... isn't it easier to keep the ID on server side ??. You work like this, checking before-saving ?

Thanks!!


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jul 14, 2005 4:36 pm 
Regular
Regular

Joined: Thu May 26, 2005 2:08 pm
Posts: 99
Hiding the ID from the user won't prevent him from guessing an ID and updating it anyway. If your app relies on hidden information for its security, it's not secure.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jul 14, 2005 4:54 pm 
Senior
Senior

Joined: Tue Jun 21, 2005 10:18 am
Posts: 135
Location: South Carolina, USA
Quote:
Hiding the ID from the user won't prevent him from guessing an ID and updating it anyway. If your app relies on hidden information for its security, it's not secure.


+1

There are many products out there that let users hack into the http request/response data and do all kinds of things to it. The only way to truly secure your system is to verify the user is who he says he is (authenticate), and then use role-based or business-rule-based logic to determine whether the user actually has the authority to do what he's requesting to do (authorize).


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jul 14, 2005 5:07 pm 
Beginner
Beginner

Joined: Thu Jul 07, 2005 7:12 pm
Posts: 25
There are also ways of creating tokens such that if the user modifies request params, one can find out.

Anyway, you'd get more detailed info on this on a Struts type of forum.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jul 14, 2005 5:18 pm 
Beginner
Beginner

Joined: Thu Jul 14, 2005 10:11 am
Posts: 32
hey... that's a really good idea.....

>> Send the ID of the object being modified... plus...
>> Add a hash, obtained from Object ID + Internal user ID

And... when saving the changes... just check if i get the same hash code.

I know, if someone knows that's the algorythm... i'm dead. But it can work!!!

Thanks, thanks!!


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 

All times are UTC - 5 hours [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.