Neither did I. My initial thought was that you are mixing syntax
validation with semantic validation (authorization). A security hole
implies authorization, AFAIK this falls outside the classic REST scope
and thus Jersey. Are you using basic HTTP authorization? In that case,
you will need to carry that forward and use it every time your resources
are accessed.
/Casper
Paul Sandoz wrote:
> Hi,
>
> Is not an issue w.r.t. authorization based on the the principle that
> is authenticated?
>
> And/Or do different clients have different sets of buildings?
>
> I guess you can tell from my questions that i do not really understand
> your example,
> Paul.
>
> On Nov 4, 2009, at 3:35 PM, Jordi Domingo wrote:
>
>> Hi all!
>>
>> Ive found a security hole in my own application that is solved right
>> now ,but I want to know your thoughts about the best way to validate
>> the URL.
>>
>> For example:
>>
>> http://localhost:8080/clients/1/buildings/29/floors/9
>> <http://localhost:8080/projects/1/vulnerabilities/29/evidences/9>
>>
>> If we take a look, we see we are asking for the floor 9 in the
>> building 29 of the client 1. In my case, all floors have an ID and a
>> foreign key to buildings, and buildings have an ID and a foreign key
>> to clients.
>> To seach a floor i just need the floor ID and if we only validate the
>> client ID (1) a malicious user with access to client 2 may access
>> floor 9 asking
>>
>> http://localhost:8080/clients2/buildings/29/floors/9
>> <http://localhost:8080/projects/1/vulnerabilities/29/evidences/9>
>>
>>
>> It's just a demo, but i hope i wrote it well so everybody understand it.
>>
>> My question here is, the ddbb design is bad, wich way you think will
>> be better to validate the URL?
>>
>> Thanks,
>>
>> Jordi
>>
>> ------------------------------------------------------------------------
>> Date una vuelta por Sietes y conoce el pueblo de los expertos
>> en Windows 7 <http://www.sietesunpueblodeexpertos.com/>
>