Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Struts 2 »

Re: [S2] User authentication best practice (2nd time...)

Sébastien LABEY

2007-01-31

Replies:

Thanks for your answer.
Maybe I'm not very clear (sorry for my english). Let's imagine the following
request to access the page to update the user informations :
/myApp/userPrepareUpdate.action?id=1234
Anyone can modify the request and change 1234 to any other id and so access
to the informations of another user. That's why I have to check that the
parameter "id" passed in the request has the same value than the "id" in the
user object stored in session.
That can be the same for the page that redirects to any other object of the
application that does not belong to the user (imagine photo gallery)...
So did I miss something? I'm sure yes...

Sebastien



On 1/31/07, Thorsten Schäfer <Uni@(protected):
>
> Hi,
>
> Why do you care about the information in the request? Typically, you
> have a login page and the corresponding action stores the user object
> into the session. In all subsequent requests, you can check the user
> object in the session to determine which user did log in. This works for
> S1, but I'd think that it's the same in S2.
>
> Cheers,
>
> Thorsten
>
> > -----Original Message-----
> > From: Sébastien LABEY [mailto:sebastien.labey@(protected)]
> > Sent: Wednesday, January 31, 2007 8:22 PM
> > To: Struts mailing list
> > Subject: [S2] User authentication best practice (2nd time...)
> >
> > Hi all (sorry for the previous unterminated mail),
> >
> > I would like to know if S2 provides a solution to manage user
> > authentication.
> > I also would like to know if someone could lead me to best practice
> for
> > user
> > creation / authentication to a web application. I'm worried about
> security
> > after the user has logged in, because of the parameters that appear in
> the
> > request. For example, the request that leads to user informations
> > modification shows the id of this user in the request, so I've to
> control
> > that the user id in the request is the same than the one in session
> (in
> > the
> > user object stored in session after login).
> > Do you have some best practices to help me...?
> >
> > thanks in advance
> >
> > Sebastien
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@(protected)
> For additional commands, e-mail: user-help@(protected)
>
>
©2008 junlu.com - Jax Systems, LLC, U.S.A.