users@jersey.java.net

Re: [Jersey] Doubt about URL validation

From: Felipe Gaucho <fgaucho_at_gmail.com>
Date: Thu, 5 Nov 2009 09:37:44 +0100

THW Pathos Parameter should Be Part of the quer... So there is nö
conflict, isn't it?

Sent from my iPhone

On 05.11.2009, at 09:12, Jordi Domingo <noseya_at_hotmail.com> wrote:

> I didnt explained it well.
>
> There's authentication and authorization, but authorization is done
> by client id.
>
> Yes, diferent clients have diferent sets of buildings.
>
> The problem is that an url with clients/2 may contain a buildings/
> 30 that belongs to another client. The server should make a 404
> reponse to clients/2/buildings/30 because it doesnt exist and should
> be clients/1/buildings/30.
>
> I know this is not a Jersey issue, I'm just asking wich way you
> think would be better to implement this king of url validation.
>
> Thanks,
>
> Jordi
>
> Date: Wed, 4 Nov 2009 16:24:01 +0100
> From: Paul.Sandoz_at_Sun.COM
> To: users_at_jersey.dev.java.net
> Subject: Re: [Jersey] Doubt about URL validation
>
> Hi,
>
> Is not an issue w.r.t. authorization based on the the principle that
> is authenticated?
>
> And/Or do different clients have different sets of buildings?
>
> I guess you can tell from my questions that i do not really
> understand your example,
> Paul.
>
> On Nov 4, 2009, at 3:35 PM, Jordi Domingo wrote:
>
> Hi all!
>
> Ive found a security hole in my own application that is solved right
> now ,but I want to know your thoughts about the best way to validate
> the URL.
>
> For example:
>
> http://localhost:8080/clients/1/buildings/29/floors/9
>
> If we take a look, we see we are asking for the floor 9 in the
> building 29 of the client 1. In my case, all floors have an ID and a
> foreign key to buildings, and buildings have an ID and a foreign key
> to clients.
> To seach a floor i just need the floor ID and if we only validate
> the client ID (1) a malicious user with access to client 2 may
> access floor 9 asking
>
> http://localhost:8080/clients2/buildings/29/floors/9
>
>
> It's just a demo, but i hope i wrote it well so everybody understand
> it.
>
> My question here is, the ddbb design is bad, wich way you think will
> be better to validate the URL?
>
> Thanks,
>
> Jordi
>
> Date una vuelta por Sietes y conoce el pueblo de los expertos en
> Windows 7
>
>
> ¡Nuevo Canal Mujer! Moda, belleza, sexo, dietas, embarazo. más
> fácil y a tu alcance. Si quieres estar a la última, no puedes
> perdértelo.