security - http parameters override setAttributes?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

security - http parameters override setAttributes?

snowch
In my controller postprocessor, I would like to add an event that sets the a list of companies that the user can access.  I.e. if the user is an external user, I only want them to have access to their own data.

companyCodeList = // lookup in db based on userLoginId
Security security = (Security)request.getAttribute("security");
if (security.hasPermission("INTERNAL_STAFF", request.getSession())) {
        request.removeAttribute("companyCodeList");
} else {
        request.setAttribute("companyCodeList", companyCodeList);
}

In the entity condition for the form:

<condition-expr field-name="companyCode" operator="in" value="${parameters.companyCodeList}" ignore-if-empty="true" ignore-if-null="true"/>

It seams that it is possible for malicious users to try to override this by adding http parameters, e.g. http://localhost/myapp/control/something?companyCodeList=ABC

What is the recommended way of passing data from my controller event without using parameters?

Many thanks in advance,

Chris
Reply | Threaded
Open this post in threaded view
|

Re: security - http parameters override setAttributes?

BJ Freeman
Have you got familiar with roles and permission in ofbiz?
you can assign partyID to other partyID with a link.
Since a company is a party this is party to party relationships.
also you can use party groups and one party can be in more than one
partygroup.

as far as passing parameter they are part of the session data or context
when you do a POST the data is not in the URL.


snowch sent the following on 4/24/2009 10:39 PM:

> In my controller postprocessor, I would like to add an event that sets the a
> list of companies that the user can access.  I.e. if the user is an external
> user, I only want them to have access to their own data.
>
> companyCodeList = // lookup in db based on userLoginId
> Security security = (Security)request.getAttribute("security");
> if (security.hasPermission("INTERNAL_STAFF", request.getSession())) {
> request.removeAttribute("companyCodeList");
> } else {
> request.setAttribute("companyCodeList", companyCodeList);
> }
>
> In the entity condition for the form:
>
> <condition-expr field-name="companyCode" operator="in"
> value="${parameters.companyCodeList}" ignore-if-empty="true"
> ignore-if-null="true"/>
>
> It seams that it is possible for malicious users to try to override this by
> adding http parameters, e.g.
> http://localhost/myapp/control/something?companyCodeList=ABC
>
> What is the recommended way of passing data from my controller event without
> using parameters?
>
> Many thanks in advance,
>
> Chris

--
BJ Freeman
http://www.businessesnetwork.com/automation
http://bjfreeman.elance.com
http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
Systems Integrator.

Reply | Threaded
Open this post in threaded view
|

Re: security - http parameters override setAttributes?

snowch
Hi BJ,

What I'm trying to achieve is row level security when accessing an entity consisting of legacy data.  The data has a foreign key (companyCode).  Each userLoginId is assigned a list of company codes that they have permission to view.

For the parameter overriding, my example was using an HTTP GET, but companyCode's could be added by a malicious user using a HTTP POST call.  Either way, a malicious user can override the companyCodeList that was added in my event using request.setAttribute("companyCodeList")?

Many thanks,

Chris