tags:

views:

117

answers:

4
+2  Q: 

How do I prevent unauthorized users from deleting objects in my domain model?

I got similar domain model

  • 1) User. Every user got many cities. @OneToMany(targetEntity=adv.domain.City.class...)
  • 2) City. Every city got many districts @OneToMany(targetEntity=adv.domain.Distinct.class)
  • 3) Distintc

My goal is to delete distinct when user press delete button in browser. After that controller get id of distinct and pass it to bussiness layer. Where method DistinctService.deleteDistinct(Long distinctId) should delegate deliting to DAO layer.

So my question is where to put security restrictions and what is the best way to accomplish it. I want to be sure that i delete distinct of the real user, that is the real owner of city, and city is the real owner of distinct. So nobody exept the owner can't delete ditinct using simple url like localhost/deleteDistinct/5.

I can get user from httpSession in my controller and pass it to bussiness layer.

After that i can get all cities of this user and itrate over them to be sure, that of the citie.id == distinct.city_id and then delete distinct.

But it's rather ridiculous in my opinion.

Also i can write sql query like this ...

delete from 
  t_distinct 
where 
  t_distinct.city_id in (
    select 
      t_city.id 
     from 
       t_city 
       left join t_user on t_user.id = t_city.owner_id 
     where 
       t_user.id = ?
  ) 
  and t_distinct.id = ?

So what is the best practice to add restrictions like this.

I'm using Hibernate, Spring, Spring MVC by the way..

Thank you

+4  A: 

With hibernate you don't have to worry about sql injection. It always uses prepared statements, so you are safe.

As for your concrete case, this is not an sql injection. But to prevent it, make validation in the controller - whether the currently logged user owns the desired ID.

Depending on the size of the application, you can implement some general security scheme, with ownership settings, and apply it (using AOP).

Bozho  2010-06-05 19:34:39
I'm sorry, seems the theme name is wrong. I do not mean sql injection, i mean malefactor can simply pass Id of deleting entity in url and entity will be delete if i would not check if he is real owner of the entity. So my question is what is the best way to check if the user is the owner of entity. User->Book->Page. I want to delete page in book and i got user in HttpSession...
aauser  2010-06-05 19:37:54
Yup, hibernate will generally protect you from SQL injection. I think there is a way to be exposed to it if you tried really hard with custom HQL, but as long as you follow the standard hibernate conventions you are safe.
bwawok  2010-06-05 19:37:54
Look in to spring security if you want to tie user ID to what he can do... never used it but seems like it has some good stuff...
bwawok  2010-06-05 19:38:54
Yes spring security can add some restictions to user_role etc. But id don't need it.My question is much simpler it does not require addinionals framework, i just want to know what is the best way to deal with this situation
aauser  2010-06-05 19:42:39
A: 

Just use your head, quote-escape* everything from an outside (or inside for that matter) source before it gets put in an SQL statement, and check data as it goes in. Or, use prepared statements.

*Edit: By "quote-escape" I meant functions like PHP's mysql_escape_string()

amphetamachine  2010-06-05 19:37:32
Trying to quote escape is a poor way to stop SQL Injection.
bwawok  2010-06-05 19:41:42
+5  A: 

What you're asking for is not SQL Injection prevention. You need to ensure the user attempting the deletion is authorized.

As long as you check that the user accessing the page has the rights to delete the row your trying to delete (this would be checked in the Business layer), and ONLY allow the delete command if the user is authenticated and authorized to perform the action.

Jaymz  2010-06-05 19:39:39
+1 for not being locked in on the title. :) Note that verifying the user identity has to be done not only when the command is made available to the user, but also when the command is used. Input can be spoofed, so it's possible to send a fake reuqest as it would look if the command was enabled.
Guffa  2010-06-05 19:44:52
So your user has a session right? A session can generally be considered secure. A session should tie back to a user in your database, which ties to the entities he can delete. On a delete request, you confirm that the session's user has permission to delete that entity. This could be done by putting a user ID on each entity table.. or somehow using a mapping to show how they are related. If someone changes a param to delete other_guy_123's item, the security layer would see that user_145 does not own other_guy_123s item, so then it would throw an exception
bwawok  2010-06-05 20:59:28
A: 

I understand that i want to be sure, the the user is real owner of Book The question was how to accomplish it. And yes, i know that user is authenticated and authorized. But another authorized user can easy delete pages of another user.

This can be done like this...

User userFromHttpSession ... Long bookId = load page, get bookId, load book, get bookId

List books = userFromHttpSession.getBooks(); ... iterate over books and find out if one of the book.id == bookId ... then if book owner is owner of httpSession, then proceed Delete

It's like too many sql queries, and too many code, probably there are better solution. Anyway thank you for your answers

aauser  2010-06-05 20:17:28

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java