shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luke Biddell <luke.bidd...@gmail.com>
Subject RESTful uris and direct object reference manipulation (OWASP #4)
Date Fri, 02 Sep 2011 15:58:24 GMT
I'm using shiro in conjunction with Jersey jax-rs and am hoping for some
guidance around the following scenario.


Imagine I have the following uri provided by my Jersey resource:

    /accounts/{accountId}

The rules around access are such that:

    sysadmin role can access it always
    accountadmin role can access it if accountId is the same as their
account id principal

So I have two accounts, id 1 and 2.

    Sysadmin can access both /accounts/1 and /accounts/2.
    accountadmin for account 1 can access /accounts/1.
    accountadmin for account 1 gets a 403 forbidden when trying to access
/accounts/2.
    accountadmin for account 2 can access /accounts/2.
    accountadmin for account 2 gets a 403 forbidden when trying to access
/accounts/1.


The current rest filter see the two accountadmins as the same.


I know I can handle this in code by cross referencing the uri parameter with
the user's account id principal.

Is there a slick way using Shiro's ini filter chains etc?


Any nicer suggestions?

End game is to secure my app against the OWASP Top 10 and this is #4.

https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References


Thanks

Luke

Mime
View raw message