[prev in list] [next in list] [prev in thread] [next in thread] 

List:       struts-user
Subject:    Re: REST 2.1.2
From:       Jeromy Evans <jeromy.evans () blueskyminds ! com ! au>
Date:       2008-08-29 3:36:04
Message-ID: 48B76EA4.2080709 () blueskyminds ! com ! au
[Download RAW message or body]

stanlick wrote:
> Thanks Jeromy :jumping:
>
> Have you considered the transparency of the REST URL as it relates to
> security and tampering?  Would something like Acegi provide a solution? 
> Also, have you considered the likliehood of a user discovering parms that
> can be passed and mapped onto your action?  I am getting push back from
> folks in security about how Struts 1.X could block this behavior by
> including only acceptable parmaters in the ActionForm
>
> Peace,
> Scott
>
>   

Hi Scott,

I'm not a REST expert, or a REST purist. I like the approach because it 
makes most things simpler (purists have made it seem complicated and 
elitist, which is stupid). 
Generally, I think simpler is good for security administration.

If every resource (or service) has a unique URI, then filters (like 
Acegi) can easily control access to that resource.  As soon as params 
are used to control behaviour it gets complicated.  eg. /user/add is 
easier to filter than userManager.do?action=add

Also by following the restful convention for http methods (gets for 
reads, others for modifications) you can also filter who can invoke the 
read, update or deletes.  Role-based filters can be applied to the 
request (eg. only admin can post) and to action method's (only admin can 
invoke create()).  It becomes consistent.. 

None of this solves the discovery of hidden params that can be passed 
into the action As an example, I suppose if you can create a User and a 
User has a hidden flag that indicates that they're an admin, and only an 
admin can set that flag, then there's no good way to filter than other 
than in the action directly or via the DI framework/java security. eg. 
you could prevent that method from being invoked by Subjects that don't 
have the admin role if the DI container allows that or a security 
manager is setup.  I'm not an expert on Acegi either!

So yeah, it may help a little because you use keep things simple and 
follow a convention.  You don't need the REST plugin to do any of this 
though.  It just requires an actionmapper slightly better than the 
default one in Struts 2.0.x.

cheers,
 Jeromy Evans


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]