Spring MVC security based on Session Attribute - spring

I am using a Security scheme that is based on session attributes. I know that Spring has Acegi Security but I don't have much time to study that module. I just want to share this to solicit comments.
The pseudocode is like this.
On successful Login, I am setting an attribute on user session. The object that I am placing as session attribute is a simple javabean with a map of privileges.
public class UserInfo{
public String getRole(){};
public Map checkPrivilege(){};
//getters and setters
}
The session attributes contains the Role also of the user. (He could be a User/Guest/Admin/Super Admin). Now there are certain privileges that are authorized to User.
For my JSP, I just check out the user session for his role and privilege.
My rough code is like this using JSTL
IF (User Info in Session is 'User' and has this privilege)
Add Button is shown
Else
No Add Button is shown.
I have these questions:
Are session attributes considered secure that no one else can sniff or hack?
Are security based on these scheme considered secure-enough?

Session attributes are stored on the server side only, so yes they are secure.
There is no problem with putting these security identifiers into session attributes in terms of security. But that is the easy part of web application security! The hard part is the rest of the security infrastructure, which I am concerned that you have not thought about yet.
I recommend you investigate Spring Security.

Related

Spring boot MVC - Block users from seeing endpoints by changing id in url

I'm writing a pretty simple ecommerce app with spring boot and thymeleaf and I found out that users can see any order by changing the id in URL.
For example:
User placed an order with ID 5, so he can see his order on url: /order/details/5
But if the user changed url to f.e /order/details/4 he can see details of order that he shouldn't be able to see.
Is there a simple way to block it with Spring security?
First off, let's get some lingo out of the way:
Authentication - The act of proving someone's identity. E.g., you login with a username, but you need a password to prove that it's you.
Authorization - Is the act of granting a user permission to perform an action.
Those terms are important when reading the Spring Security Documentation.
I assume that you already authenticate user and now you want to authorize them to view, e.g., their own orders, but not those of other users.
But I guess the orders are stored in a database. So you'll probably have to authenticate in your service layer. Meaning Spring Security takes care of authentication and you have the user available. When you fetch some order, you also need to make sure that the authenticated user is the owner.
Another thing to consider is using UUIDs as primary key. That makes it much harder to guess an ID but this is absolutely no replacement for authorization! Seriously. It is not. Security by obscurity is broken.

Validation in Spring with different Roles

I'm just trying to understand the "Validation" within Spring MVC. I set up a small validation form, which is working just fine. However I got a couple of questions all those Tutorials don't answer
As far as I understood the Validator just gets every form-element altered and checks if it is valid or not. What if I want a user to only be able to alter specific form-elements.
Let's say I have an Admin and a regular User on my webpage, they both are allowed to edit their profiles. The admin however is allowed to alter his username, the regular isn't allowed to do that. They both use the "edit-profile.jsp" and therefore the same Validator. I could just grey out the username field in my regular user's view, but let's assume he's not a total BDU and adds a form-field via debugger of his webbrowser, overriding the actual username input-field. He then alters his username and sends the request to MVC. The validator assumes the username altered came from the original input-field and updates the user's nickname in the db accordingly, since both, the admin and the regular user just use the same Validator and the same "updateAllAltered"-DAO method. The same goes for select option-lists. Let's say the Admin is allowed to set a status of a profile to active AND inactive. The user however is only allowed to set it's own profile to inactive but can't reactivate it by himself. I could do the same as above, just altering the option-panel in the frontend to only show "INACTIVE" in the regular user's dropdown box. But we could repeat the same scenario, where the user just adds a debug form-field containing also the option "ACTIVE". This can get out of hand if e.g. the Admin is allowed to change Roles to "admin, member, moderator", while a user, who's i.e. a moderator within a forum can change roles to "member or moderator". He could just again add another field and plugin "admin" and gain total control of the forum.
How is this handled in Spring?
Basically you have to handle by spring security for your use case, design your application security, you will find basic spring security examples easily.
Example you can block your HTML code in JSP by spring security tags by user roles.
<sec:authorize access="hasAnyRole('ROLE_ADMIN')">
Delete
</sec:authorize>
You can annotate any of your methods by roles to block access.
#Secured({ "ROLE_ADMIN" })

Spring MVC User retrieval strategy

I have a pretty common Spring Web MVC application using Hibernate. The user of the application are stored in a table called USER and there also username, password and a couple of other properties are stored. Also I am using Spring security with jdbc-user-service in order to secure the application so that only user from this table can access is with their username / password.
Now my problem is that once logged on, I need to access this user object quite often, e.g. in order to get all orders from this user, the address of this user and so on. I know how to access the Principal object, which shares username with my User Object, but I am wondering which would be the best strategy to easily access my custom User object. There are a couple of strategies like putting it in the session, write a findUserByUsername() method and call it whenever needed (which would result in hitting the database quite a lot I think) but I am looking for a smarter way. Is it somehow possible to inject a User object? Or should I rather put it in the session? If so, how would be the best way to achieve this? How could I hook in after the Spring frameworks login event?
Any suggestions?
Thanks
Paul
You could always scope a UserDetails bean to the session (link). This would, of course, be a stateful bean, so you would be free to store any information about your User entity that you need to and access it as long as the session is active. One trip to the database.
Note: The User object (and any related objects) will be detached from the Hibernate Session. Keep this in mind when either 'storing' the values within the bean or accessing them in later processing.

Grails Security Plugin: Where to store additional user data?

I want to use the Grails Spring Security Plugin in my app. It creates a domain class which represents a user. My research on the internet showed me that it is not good to put all the data in this class because it's loaded all the time.
My simple solution to this would be to pack the data in an additional class and then asocciate it in the security user class. Is this a good way?
It's not "loaded all the time", it's loaded when you authenticate. The username, password, and role names are used to build the Authentication instance that's stored in the HTTP session. This is checked to see if you have access rights for various URLs.
But it can make sense to partition the data into a security-related user class and an associated profile class as #Gregg describes.
You can use a custom userDetailsService implementation to cache data from the User class in the Authentication to avoid having to repeatedly load the whole thing from the database; see http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/11%20Custom%20UserDetailsService.html
Yes, that is a good approach. I've often used a Profile class to attach additional User profile data. I've also added additional properties directly to the User class. It probably depends on how much additional data you're talking about.

Spring Security and the Proper Way to Verify that User has Access to a Resource

I'm using Spring Security which works great to make sure that a user has a certain role before accessing a resource. But now I need to verify something a little different:
`/product/edit/{productId}`
What is the best way to verify that the logged in user "owns" productId? My business mappings handle the relationship (a user has a list of products). I need to verify this product belongs to the user and hence, they can edit it.
I know how to gain access to productId and the logged in user in both the controller and an interceptor. I don't believe this logic belongs in the controller at all. The interceptor seems better but I wondered if Spring Security had an "accepted" way of handling this situation.
Yes, in Spring you can implement this by implementing Access Control Lists. ACL declaration specifies permissions for individual objects per user. Once you have everything setup like acl entries in your database and logic, you can use SpEL and #PostFilter annotation to control the list of objects returned to a user.
Spring Security Documentation
Related:

Resources