views:

117

answers:

4

I got similar domain model

  • 1) User. Every user got many cities. @OneToMany(targetEntity=adv.domain.City.class...)
  • 2) City. Every city got many districts @OneToMany(targetEntity=adv.domain.Distinct.class)
  • 3) Distintc

My goal is to delete distinct when user press delete button in browser. After that controller get id of distinct and pass it to bussiness layer. Where method DistinctService.deleteDistinct(Long distinctId) should delegate deliting to DAO layer.

So my question is where to put security restrictions and what is the best way to accomplish it. I want to be sure that i delete distinct of the real user, that is the real owner of city, and city is the real owner of distinct. So nobody exept the owner can't delete ditinct using simple url like localhost/deleteDistinct/5.

I can get user from httpSession in my controller and pass it to bussiness layer.

After that i can get all cities of this user and itrate over them to be sure, that of the citie.id == distinct.city_id and then delete distinct.

But it's rather ridiculous in my opinion.

Also i can write sql query like this ...

delete from 
  t_distinct 
where 
  t_distinct.city_id in (
    select 
      t_city.id 
     from 
       t_city 
       left join t_user on t_user.id = t_city.owner_id 
     where 
       t_user.id = ?
  ) 
  and t_distinct.id = ?

So what is the best practice to add restrictions like this.

I'm using Hibernate, Spring, Spring MVC by the way..

Thank you

+4  A: 

With hibernate you don't have to worry about sql injection. It always uses prepared statements, so you are safe.

As for your concrete case, this is not an sql injection. But to prevent it, make validation in the controller - whether the currently logged user owns the desired ID.

Depending on the size of the application, you can implement some general security scheme, with ownership settings, and apply it (using AOP).

Bozho
I'm sorry, seems the theme name is wrong. I do not mean sql injection, i mean malefactor can simply pass Id of deleting entity in url and entity will be delete if i would not check if he is real owner of the entity. So my question is what is the best way to check if the user is the owner of entity. User->Book->Page. I want to delete page in book and i got user in HttpSession...
aauser
Yup, hibernate will generally protect you from SQL injection. I think there is a way to be exposed to it if you tried really hard with custom HQL, but as long as you follow the standard hibernate conventions you are safe.
bwawok
Look in to spring security if you want to tie user ID to what he can do... never used it but seems like it has some good stuff...
bwawok
Yes spring security can add some restictions to user_role etc. But id don't need it.My question is much simpler it does not require addinionals framework, i just want to know what is the best way to deal with this situation
aauser
A: 

Just use your head, quote-escape* everything from an outside (or inside for that matter) source before it gets put in an SQL statement, and check data as it goes in. Or, use prepared statements.

*Edit: By "quote-escape" I meant functions like PHP's mysql_escape_string()

amphetamachine
Trying to quote escape is a poor way to stop SQL Injection.
bwawok
+5  A: 

What you're asking for is not SQL Injection prevention. You need to ensure the user attempting the deletion is authorized.

As long as you check that the user accessing the page has the rights to delete the row your trying to delete (this would be checked in the Business layer), and ONLY allow the delete command if the user is authenticated and authorized to perform the action.

Jaymz
+1 for not being locked in on the title. :) Note that verifying the user identity has to be done not only when the command is made available to the user, but also when the command is used. Input can be spoofed, so it's possible to send a fake reuqest as it would look if the command was enabled.
Guffa
So your user has a session right? A session can generally be considered secure. A session should tie back to a user in your database, which ties to the entities he can delete. On a delete request, you confirm that the session's user has permission to delete that entity. This could be done by putting a user ID on each entity table.. or somehow using a mapping to show how they are related. If someone changes a param to delete other_guy_123's item, the security layer would see that user_145 does not own other_guy_123s item, so then it would throw an exception
bwawok
A: 

I understand that i want to be sure, the the user is real owner of Book The question was how to accomplish it. And yes, i know that user is authenticated and authorized. But another authorized user can easy delete pages of another user.

This can be done like this...

User userFromHttpSession ... Long bookId = load page, get bookId, load book, get bookId

List books = userFromHttpSession.getBooks(); ... iterate over books and find out if one of the book.id == bookId ... then if book owner is owner of httpSession, then proceed Delete

It's like too many sql queries, and too many code, probably there are better solution. Anyway thank you for your answers

aauser