5 Replies Latest reply on Aug 13, 2008 7:57 PM by gus888

    Security on page parameter

    gus888
    gus888 Aug 13, 2008 5:44 PM

      Hi all,


      I want to discuss issues about the page param security. For example, when I select a group (groupId = 1112 as page param) from My Group List, if I change the groupId=1112 to groupId=1115 (which is not my group) from url, then I press enter, I can get the group info of groupId= 1115. If I change it to groupId=AAAA, system will get exceptions. Recently, I tested this issue on Facebook web site, and found that if I change the groupId, the system will redirect to my home page.


      Therefore, I am wondering whether we can add a control attribute in the page tag, like 

      <page ... urlChanged-view-id="/mygroupList.seam"

      which is the similar to 
      <page ... no-conversation-view-id="/myHome.xhtml"

      If I change url, system will redirect to "mygroupList.seam". If we don't add this attribute page, system will redirect to the page you want. Anybody can give some advice? Thanks.

        • 1. Re: Security on page parameter
          damianharvey.damianharvey.gmail.com
          damianharvey.damianharvey.gmail.com Aug 13, 2008 6:55 PM (in response to gus888)

          What if the user is changing it to a valid ID that they have used before?


          You are much better off validating the ID in the method that the pages.xml calls via the param. Then you can check whether the user is authorised to view this entity as well as checking that the ID is a valida format.


          I went down the datamodel approach to stop users fiddling with IDs and now regret it.


          My 2 pence anyway.


          Cheers,


          Damian.

            • Actions
          • 2. Re: Security on page parameter
            gus888
            gus888 Aug 13, 2008 7:11 PM (in response to gus888)

            Hi Damian,


            It depends. If you allow users to input a valid ID that they have used before, you can ignore the urlChanged-view-id attribute. The same case is the no-conversation-view-id attribute. Generally, no users try to input database primary key to get their information. Yes, we can add id validation for each id, but it needs a lot of database connection. Importantly, this id validation is unnecessary, since when a list data are retrieved from database, they are already validated. Now when you try to view their individual, you validate it again?

              • Actions
            • 3. Re: Security on page parameter
              damianharvey.damianharvey.gmail.com
              damianharvey.damianharvey.gmail.com Aug 13, 2008 7:17 PM (in response to gus888)

              Yep. Validate it again. You shouldn't be trusting the client (browser).


              I'm not sure how'd you'd even try to implement your urlChanged thingy. What if someone bookmarks a page?





                • Actions
              • 4. Re: Security on page parameter
                gus888
                gus888 Aug 13, 2008 7:46 PM (in response to gus888)

                Damian Harvey wrote on Aug 13, 2008 19:17:

                I'm not sure how'd you'd even try to implement your urlChanged thingy.

                I think Seam team may have idea to implement this attribute, if they think this attribute is reasonable and necessary, like Facebook site.


                Damian Harvey wrote on Aug 13, 2008 19:17:

                What if someone bookmarks a page?
                For some sensitive page, it will not allow to be bookmarked.

                  • Actions
                • 5. Re: Security on page parameter
                  gus888
                  gus888 Aug 13, 2008 7:57 PM (in response to gus888)
                  What if someone bookmarks a page?

                  Hi Damian, I think if uses bookmark this page, system should automatically redirect to urlChanged-view-id="/mygroupList.seam". Thanks.

                    • Actions