-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Currently I'm handling security (checking if user in session ... if not validating some stuff put in header by company's siteminder agent , etc) with a standard servlet Filter.
To be safe I had bound the following zk patterns to the filter:
*.zul
*.zhtml
/zkau/*
/zk/*
.zul is obvious to check, but I wanted to be sure someone couldn't spoof one of the ajax requests so I wanted to make sure the internals of what zk does for handling all the 'ajaxy' stuff was filtered as well so I added things like /zk/* and /zkau/* to the urls mapped to the filter.
The drawback is I see a lot of resources intercepted that I don't care about:
zkau/web/9a9c897/zul/img/wnd/wnd-hm.png
In my filter I check various resources like .png,.gif etc just to be safe and let them pass though, but I'd much prefer the filter isn't even invoked in these cases since it's 'somewhat' expensive to make this resource check.
The question is, could I safely eliminate /zkau/* and or /zk/* from the url mapping to the filter? I'm assuming I can't eliminate both but I'm not certain which ones are really responsible for passing across application logic information. Or maybe there is a more specific pattern I can test for?
Hi rickcr,
An ajax request in ZK always has desktop id, you can check it in filter as below:
if (req.getRequestURI().contains("zkau") && req.getParameter("dtid") != null) System.out.println(" do check");
Regards,
Ben
Thanks Ben, that is certainly great information to know! I'd still prefer not to have to check EVERYTHING that hits the servlet filter and then have to do that check above, but that is useful information though and I will definitely use it (versus what I was doing which was checking for a know list of public allowed resources.)
I'm still confused though on what are the 'safe' things that I need to set up for my filter mapping? Servlet filters (at least in Tomcat 6 from my understanding) are set to intercept paths that you provide for it in the filter-mapping url patterns in your web.xml. For example...
<filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>*.zul</url-pattern> </filter-mapping>
Do I really need to also map both /zkau/* and /zk/* to the filter ? It looks like I can drop the /zk/* check but I should leave the /zkau/* one and then do the check like you have above for the request param "dtid"
Hi rickcr,
In my opinion, you do not need to check the session because an ajax to ZK is only valid if it contains correct desktopId, componentId, command and value which almost impossible from an invalid session. And even it is from a valid session, it may fake the command by Client Side Programming.
e.g.
assume you have a zul page
<zk> <textbox id="tbx" value="test" readonly="true" ></textbox> <button label="show value" onClick="alert(tbx.getValue());" ></button> </zk>
The textbox should never be changed and you will see an alert box contains 'test' while button is clicked, obviously.
Now open the firebug and run the code below in console:
jq('$tbx')[0].value = 'changed'; zk.Widget.$('$tbx').fire('onChange', {value: 'changed'}, {toServer:true});
Oops, the value is changed! (the sample use '$' + user specified id but you can try it with '#' + uuid)
So what you really have to check is the logic and flow, don't 'do something' by ajax directly, ajax can only 'require you to do something'
then do it at server side with all necessary validation (e.g., check a readonly value with the value stored in original javabean or db before you use it) instead of only check session.
Regards,
Ben
Asked: 2012-07-23 21:27:47 +0800
Seen: 194 times
Last updated: Aug 08 '12