cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrus Adamchik <and...@objectstyle.org>
Subject Re: ROP security
Date Thu, 16 May 2013 05:55:36 GMT
An explicit security layer provided by Cayenne would be a great improvement to ROP. 

I am currently working on something like this for [JS -> JAX-RS -> Cayenne] stack with
AJAX requests dynamically converted to Cayenne ops, and hence also prone to client hacking
attempts. This one is easier to secure than ROP, as you can attach rules to individual REST
resources, and also sandbox the client to just send query qualifiers and orderings (while
the actual query object is created on the server explicitly). But of course something similar
can be achieved in ROP.

> 1. preventing SQLTemplate/EJBQL queries completely

This may be achieved with a wrapper around ClientServerChannel (can be created via DI customization)
overriding 'onQuery'. I'd go with "deny all/allow SelectQuery, RelationshipQuery, ObjectIdQuery"
rule. These 3 queries can be tightened up a bit too - you can filter on a root entity (and
prefetch paths) and deny certain entities to certain roles. You may also add restricting qualifiers
to SelectQuery (and apply the same to the results of RelationshipQuery and ObjectIdQuery).
I am experimenting with this now in my REST framework. 
 
> 2. adding entity listeners to catch certain write behaviour (we can't do a lot about
reading data since that's easy to do at the controller level, on the client, but pretty hard
to construct rules at the model level on the server)

Yeah, you can create a listener with methods tied to some custom annotation (e.g. @RequireRoleOnCommit
or @DenyCommit) :

http://cayenne.apache.org/docs/3.1/cayenne-guide/lifecycle-events.html#callback-non-persistent
(see '@interface Tag' example)

So a single listener can handle all entities without knowing nothing about them upfront. A
similar listener can be implemented for PostLoad to inspect the returned data (see above).
I suspect the PostLoad one will create a noticeable performance hit though. And like you said
crafting the rules may be hard.

> 3. creating 'partial' object entities which are missing some attributes. Sort of hollow,
but only hollow on some attributes.

While ROP does not support "server-only" attributes, you can probably stuff those with some
dummy values (NULL?) before returning to the client.

Andrus 


On May 16, 2013, at 2:49 AM, Aristedes Maniatis <ari@ish.com.au> wrote:
> We have a ROP Cayenne application we'd like to lock down a bit more tightly. In particular,
in a situation where we don't trust the client application hasn't been hacked, we'd like to
restrict certain activity from the client. I'm thinking of:
> 
> 1. preventing SQLTemplate/EJBQL queries completely
> 2. adding entity listeners to catch certain write behaviour (we can't do a lot about
reading data since that's easy to do at the controller level, on the client, but pretty hard
to construct rules at the model level on the server)
> 3. creating 'partial' object entities which are missing some attributes. Sort of hollow,
but only hollow on some attributes.
> 
> 
> Has anyone attempted anything similar to the above? (2) should be easy enough, but not
sure about the other requirements.
> 
> 
> Cheers
> Ari
> 
> 
> 
> 
> -- 
> -------------------------->
> Aristedes Maniatis
> ish
> http://www.ish.com.au
> Level 1, 30 Wilson Street Newtown 2042 Australia
> phone +61 2 9550 5001   fax +61 2 9550 4001
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A
> 


Mime
View raw message