struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Mitchell" <jmitc...@telocity.com>
Subject RE: Security issues with Struts
Date Mon, 01 Jul 2002 16:16:15 GMT
Or.....you could utilize the isTokenValid() in the action class.

http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=struts+istokenvalid




James Mitchell
Software Engineer\Struts Evangelist
Struts-Atlanta, the "Open Minded Developer Network"
http://www.open-tools.org/struts-atlanta




> -----Original Message-----
> From: Hal Deadman [mailto:hal.deadman@Tallan.com]
> Sent: Monday, July 01, 2002 9:49 AM
> To: 'Struts Developers List'
> Subject: RE: Security issues with Struts
>
>
> This does sounds like a problem if you use session scoped forms.
> It seems to
> me like a good reason not to use session scoped forms and another
> reason to
> minimize use of the session in general. Sessions have other problems that
> arise when a user opens multiple browsers for example. It also argues for
> ensuring that your model layer code doesn't rely on validation done in the
> presentation layer (especially if it's an internet banking application). I
> am not saying your idea for session synchronization wouldn't work but you
> could work around it and you would probably be better off in the end.
>
> Hal
>
> > -----Original Message-----
> > From: Marcel Kruzel [mailto:marcel.kruzel@vsb.cz]
> > Sent: Monday, July 01, 2002 2:46 AM
> > To: struts-dev@jakarta.apache.org
> > Subject: Security issues with Struts
> >
> >
> > Hello Struts developers,
> >
> > We are now developing an internet banking
> > application with Stuts of course.
> > Of course, we are highly concerned
> > in possible security holes in the framework
> > (or in the application using the framework).
> > I believe, there is one, that, when properly
> > used, can cause some troubles for developers!
> >
> > Here it is:
> >
> > Imagine a scenario, where user submits a form,
> > the Struts automatically populate the
> > form bean and then
> > the validation of the parameters takes place.
> > After that, if OK, the perform method is called.
> > Here, I already know, that the
> > params were ok, so I write the
> > transaction to database. The problem here
> > is the perform method. When precisely at the
> > moment of perform method call user decides
> > to submit the form once again (with
> > different values of course), the form bean
> > is again populated, and possibly wrong
> > (not validated) data might be writen to database
> > (by the first thread, that is not aware
> > of the second submit).
> > I am afraid, there is not a possibility to
> > synchronize acccess to the form,
> > since the population of form bean is automatic.
> >
> > I know, that the solution to the problem here is
> > in the perform method
> > to make copy of the parameters and then validate
> > them again. Or, I can
> > make validation only in the perform method,
> > but first I have to remove the
> > form bean from session, then validate
> > and then write to database, and then possibly
> > return that form bean to the session.
> >
> > Sorry for so long description,
> > but I tried to make myself as clear as possible.
> >
> > My preferred solution to the problem would be:
> > In the struts-config.xml put an attribute
> > to action, describing, that handling
> > such an action requires session synchronization.
> > Thus everything, starting from form population
> > and ending with "return mapping.findForward(...)"
> > would be synchronized on a session object.
> > (I do this synchronization on a session
> > anyway - in each perform method).
> >
> > So, what do You think?
> >
> > Thanx to all contributors
> > for such a great framework,
> > and enjoy the summer.
> >
> > Marcel Kruzel
> > Czech Republic
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:struts-dev-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:struts-dev-help@jakarta.apache.org>
> >
>
>
> --
> To unsubscribe, e-mail:
<mailto:struts-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-dev-help@jakarta.apache.org>



--
To unsubscribe, e-mail:   <mailto:struts-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-dev-help@jakarta.apache.org>


Mime
View raw message