0

Is it enough to assure an unauthorized user will not click a button?

asked 2009-10-07 18:08:32 +0800

fmcypriano gravatar image fmcypriano
612 1 7
http://felipecypriano.com...

Hello all,

I've a small doubt. I'm implementing my own way of security based on Stephan's zk_sample project, and this is what I did to protect a button:

    def afterCompose = {
        btnEditText.visible = userDetailsService.isCurrentUserGrantedAccess(ACESSO_EDITAR_TEXTO)
    }

    public void onClick_btnEditText(){
// button code, no more verifications

Obs. This is a groovy code and it is working.

Is it enough to assure an unauthorized user won't have access to this functionality? Or should I verify access in the onClick event as well?


Regards,
Felipe Cypriano

delete flag offensive retag edit

12 Replies

Sort by ยป oldest newest

answered 2009-10-07 19:41:24 +0800

terrytornado gravatar image terrytornado flag of Germany
9393 3 7 16
http://www.oxitec.de/

Yes, because the Button is not rendered, so no user can click on it :-)

Do it in an extra method, so it's clearer when it must added new components.

public void checkRights() {
...
btnEditText.visible = userDetailsService.isCurrentUserGrantedAccess(ACESSO_EDITAR_TEXTO)
...
}

best
Stephan

link publish delete flag offensive edit

answered 2009-10-08 01:08:04 +0800

henrichen gravatar image henrichen
3869 2
ZK Team

It depends on what kind of service you are providing via your web application. If the data is sensitive then
it is better that you still check the security in server.

Though the button is invisible but an hostile user can still make it visible via, e.g., Firebug. Or, if you don't even render the button(No corresponding HTML button element), an hostile user might fake an Ajax request and fire the "event". Of course, he/she must be familiar with all of these tricks.

link publish delete flag offensive edit

answered 2009-10-08 11:30:52 +0800

terrytornado gravatar image terrytornado flag of Germany
9393 3 7 16
http://www.oxitec.de/

Oh yes, that's an important aspect.

It's on the todo list. A few weeks ago a first try to secure the zk events in code with the @Secured("") annotation failed.
Hope that other users can explain what needed (configuration ?) that it works with the Annotations.

best
Stephan

link publish delete flag offensive edit

answered 2009-10-09 14:39:14 +0800

fmcypriano gravatar image fmcypriano
612 1 7
http://felipecypriano.com...

updated 2009-10-09 14:39:57 +0800

Until we have a annotation way to simplify the process I'll do what henrichen suggests, something like this:

public void onClick_btnEditText() {
    if (!hasAccess) return
    // actual code goes here
}

This is enough to prevent a fake javascript request, isn't it?

Regards,
Felipe Cypriano

link publish delete flag offensive edit

answered 2009-10-09 14:53:35 +0800

terrytornado gravatar image terrytornado flag of Germany
9393 3 7 16
http://www.oxitec.de/

Yes, because this is runing on server side.

My preferred way was to go like this:

@secured("customerController.btn_editText_onclick")
public void onClick_btnEditText() {
    // actual code goes here
}

best
Stephan

link publish delete flag offensive edit

answered 2009-10-09 15:25:45 +0800

fmcypriano gravatar image fmcypriano
612 1 7
http://felipecypriano.com...

updated 2009-10-09 15:26:21 +0800

But this isn't working, you said on a earlier post.

I'm thinking on implement it using AOP but I don't know much about it to figure out a solution right now. For example we could use the annotation information and add an aspect (correct me if I'm using the wrong term) to verify if the user the access.


Regards,
Felipe Cypriano

link publish delete flag offensive edit

answered 2009-10-09 20:12:59 +0800

terrytornado gravatar image terrytornado flag of Germany
9393 3 7 16
http://www.oxitec.de/

updated 2009-10-09 20:14:10 +0800

|But this isn't working, you said on a earlier post.

I only said that i have not get it to work on a first quick try. I hoped that other users have worked with the
spring-security Annotation and can explain or post configuration settings.
Remember i get the rights out of a db table, not a configuration file.

I have the 'rights' all in there in the spring-sec grantedRights List. The only thing who is missing is to
setup that spring-sec works with his @secured("aRight") Annotation. Seems that it must be a listener who
catch the call. So we must only write a new listener extends on that we are searching. In there we can
implement the UserWorkspace.isAllowed("aRight").

best
Stephan

link publish delete flag offensive edit

answered 2009-10-10 15:14:36 +0800

fmcypriano gravatar image fmcypriano
612 1 7
http://felipecypriano.com...

I never take a look into it but seems it's like we do with UserDetaisService, we "only" need to teach spring security how to handle the rights/access.

In my case I need a implementation that searchs for all Roles that are allowed to use the access @Secured("accessName"), it's a little bit different but the idea is almost the same.


Regards,
Felipe Cypriano

link publish delete flag offensive edit

answered 2009-10-10 17:09:40 +0800

terrytornado gravatar image terrytornado flag of Germany
9393 3 7 16
http://www.oxitec.de/

Yes.
Today i became the right hint. If the classes (controllers) are spring managed than spring can look automatically if there a @secured annotation. At time only the backend is spring managed. I will have a look on it next week, even though the sample app goes away from easier understanding.

nice weekend
Stepahn

link publish delete flag offensive edit

answered 2009-10-10 23:38:58 +0800

fmcypriano gravatar image fmcypriano
612 1 7
http://felipecypriano.com...

All my composers and services are managed by spring, I'll test it and let you know.

Regards,
Felipe Cypriano

link publish delete flag offensive edit
Your reply
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow

RSS

Stats

Asked: 2009-10-07 18:08:32 +0800

Seen: 243 times

Last updated: Oct 12 '09

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More