问题
I am writing a server where I have an entity StoreOwner that "owns" or has a @OneToMany relationship to aStore entity (one store owner has 1 to N stores). Each Store has Offer and Item, each also have a @OneToMany relationship with the store (one store has 1 to N offers and 1 to N items).
I am already using GWT Xsrf protection and a session ID that gets associated with the logged in user after each log-in (cookie).
One thing regarding the session ID: The session ID gets placed in my database after the user "identified" himself entering his username and password of course. Not matter if the user got hacked, lost hist laptop or entered the credentials correctly: The user counts as logged in for my server - how should it know better? But ..
There's one thing missing IMHO: What if a logged in (validated) user sends a delete request to the server with IDs of items that he does not own of a store he does not own either? At the moment, I am doing this in my StoreService:
// StoreService.java
@Transactional
public ItemDTO deleteItem(String sessionId, Long storeId, ItemDTO itemDto) {
// sessionId is the cookie I have placed in my database
// This way I want to ensure that I am only accessing a store
// that is associated with the logged in store owner (the user basically)
Store store = this.storeOwnerRepository.getStore(sessionId, storeId);
Item item = ConvertDTO.convertItem(store, itemDto);
// Check if the store ID that I got using the cookie is the
// same ID as the store ID from the item that should be deleted
if(item .getStore().getId() == store.getId()) {
item = this.storeOwnerRepository.deleteItem(item);
} else {
// If this didn't work we have a potentially hostile user:
throw new RuntimeException("Is somebody trying to delete items of a store he doesn't own?");
}
itemDto = ConvertEntity.convertItem(item);
return itemDto;
}
It is the first time that I am trying to write a bigger server application and I want to prevent users from doing such things.
My question is twofold: [1] does what I am doing would really prevent a logged in user from smuggling the IDs of another store he does not own to my server? In addition, [2] can I simplify this a little bit?
My problem is that as the application grows one might - every now and then - forget this check
if(item .getStore().getId() == store.getId()) { /* .. */ }
Of course, I could move that into my StoreOwnerRepository, but do I have better options?
回答1:
It is possible to replicate session IDs. Any user with knowledge of your data could use the above method to delete resources, particularly if the method is exposed via the web as an endpoint. Unless some form of validation mechanism is in place, passing and using the session ID is not inherently secure.
Without knowing more about the architecture of your application, that is about as far as I can take my response.
As a malicious user, I would ask: "What do I need to do to do damage?"
- The session ID
- The store ID
- The item's structure
- How all of the above information is sent to the back end (XML, JSON, etc.)
Knowing that information, using some sort of application like Fiddler or PostMan, I could send bogus requests to your back end.
So, the question, then, is what of the above is easily discoverable and how easy is it to replicate? The answer is: possibly not that difficult. In other words, Your implementation, above, does not prevent a user from doing what I have just mentioned (again, not knowing more about your application).
Hibernate itself is not a security providing mechanism - its sole responsibility is ORM. You might consider looking into Spring Security - that better enables more scalable security measures.
Depending upon what information you have access to, you need to determine a way to best prevent the user from falsifying who they are. Session IDs seem to be falsifiable.
来源:https://stackoverflow.com/questions/32488419/how-do-i-prevent-users-from-modifying-resources-they-do-not-own