I didnt explained it well.
There's authentication and authorization, but authorization is done by client id.
Yes, diferent clients have diferent sets of buildings.
The problem is that an url with clients/2 may contain a buildings/30 that belongs to another client. The server should make a 404 reponse to clients/2/buildings/30 because it doesnt exist and should be clients/1/buildings/30.
I know this is not a Jersey issue, I'm just asking wich way you think would be better to implement this king of url validation.
Thanks,
Jordi
Date: Wed, 4 Nov 2009 16:24:01 +0100
From: Paul.Sandoz_at_Sun.COM
To: users_at_jersey.dev.java.net
Subject: Re: [Jersey] Doubt about URL validation
Hi,
Is not an issue w.r.t. authorization based on the the principle that is authenticated?
And/Or do different clients have different sets of buildings?
I guess you can tell from my questions that i do not really understand your example,Paul.
On Nov 4, 2009, at 3:35 PM, Jordi Domingo wrote:Hi all!
Ive found a security hole in my own application that is solved right now ,but I want to know your thoughts about the best way to validate the URL.
For example:
http://localhost:8080/clients/1/buildings/29/floors/9
If we take a look, we see we are asking for the floor 9 in the building 29 of the client 1. In my case, all floors have an ID and a foreign key to buildings, and buildings have an ID and a foreign key to clients.To seach a floor i just need the floor ID and if we only validate the client ID (1) a malicious user with access to client 2 may access floor 9 asking
http://localhost:8080/clients2/buildings/29/floors/9
It's just a demo, but i hope i wrote it well so everybody understand it.
My question here is, the ddbb design is bad, wich way you think will be better to validate the URL?
Thanks,
Jordi
Date una vuelta por Sietes y conoce el pueblo de los expertos en Windows 7
_________________________________________________________________
Sólo hay un loro experto en Windows 7 en todo el mundo. Y vive en Sietes ¡Cónocelo!
http://www.sietesunpueblodeexpertos.com/
--_1d32408a-408e-4ee9-9b4a-bbbc09b3876d_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
I didnt explained it well.<div><br></div><div>There's authentication and authorization, but authorization is done by client id. </div><div><br></div><div>Yes, diferent clients have diferent sets of buildings.</div><div><br></div><div>The problem is that an url with clients/2 may contain a buildings/30 that belongs to another client. The server should make a 404 reponse to clients/2/buildings/30 because it doesnt exist and should be clients/1/buildings/30.</div><div><br></div><div>I know this is not a Jersey issue, I'm just asking wich way you think would be better to implement this king of url validation.</div><div><br></div><div>Thanks, </div><div><br></div><div>Jordi</div><div><br><hr id="stopSpelling">Date: Wed, 4 Nov 2009 16:24:01 +0100<br>From: Paul.Sandoz@Sun.COM<br>To: users@jersey.dev.java.net<br>Subject: Re: [Jersey] Doubt about URL validation<br><br>Hi,<div><br></div><div>Is not an issue w.r.t. authorization based on the the principle that is authenticated?</div><div><br></div><div>And/Or do different clients have different sets of buildings? </div><div><br></div><div>I guess you can tell from my questions that i do not really understand your example,</div><div>Paul.</div><div><br></div><div><div><div>On Nov 4, 2009, at 3:35 PM, Jordi Domingo wrote:</div><br class="ecxApple-interchange-newline"><blockquote><span class="ecxApple-style-span" style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div class="ecxhmmessage" style="font-size:10pt;font-family:Verdana">Hi all!<div><br></div><div>Ive found a security hole in my own application that is solved right now ,but I want to know your thoughts about the best way to validate the URL.</div><div><br></div><div>For example:</div><div><br></div><div><a href="
http://localhost:8080/projects/1/vulnerabilities/29/evidences/9">
http://localhost:8080/clients/1/buildings/29/floors/9</a></div><div><br></div><div>If we take a look, we see we are asking for the floor 9 in the building 29 of the client 1. In my case, all floors have an ID and a foreign key to buildings, and buildings have an ID and a foreign key to clients.</div><div>To seach a floor i just need the floor ID and if we only validate the client ID (1) a malicious user with access to client 2 may access floor 9 asking</div><div><br></div><div><a href="
http://localhost:8080/projects/1/vulnerabilities/29/evidences/9" style="text-indent:0in !important">
http://localhost:8080/clients2/buildings/29/floors/9</a></div><div><br></div><div><br></div><div>It's just a demo, but i hope i wrote it well so everybody understand it.</div><div><br></div><div>My question here is, the ddbb design is bad, wich way you think will be better to validate the URL?</div><div><br></div><div>Thanks,</div><div><br></div><div>Jordi</div><br><hr>Date una vuelta por Sietes y conoce el pueblo de los expertos en<span class="ecxApple-converted-space"> </span><a href="
http://www.sietesunpueblodeexpertos.com/">Windows 7</a></div></span></blockquote></div><br></div></div> <br /><hr />¡Nuevo Canal Mujer! Moda, belleza, sexo, dietas, embarazo. más fácil y a tu alcance. Si quieres estar a la última, <a href='
http://mujer.es.msn.com/' target='_new'>no puedes perdértelo.</a></body>
</html>
--_1d32408a-408e-4ee9-9b4a-bbbc09b3876d_--