Design question - implementing permissions
We have to implement permissions in our application. Which method do you gurus suggest?
a) Checking if a user has the permissions to do a certain action and enabling/disabling/hiding the input control accordingly.
The drawback i see in this approach is that a user who want to hack the application can invoke the servlet directly(assuming i am not repating the permissions check in the servlet too).
b) Checking if a user has the permission to do a certain action in servlets. My view is that this does not conform to the MVC architecture.
As always your views will be appreciated.
Regards
[626 byte] By [
ssv45324a] at [2007-10-2 13:35:22]
> We have to implement permissions in our application.
> Which method do you gurus suggest?
>
> a) Checking if a user has the permissions to do a
> certain action and enabling/disabling/hiding the
> input control accordingly.
> The drawback i see in this approach is that a user
> who want to hack the application can invoke the
> servlet directly(assuming i am not repating the
> permissions check in the servlet too).
>
> b) Checking if a user has the permission to do a
> certain action in servlets. My view is that this does
> not conform to the MVC architecture.
>
> As always your views will be appreciated.
>
> Regards
If you are talking of security, its a combination of things, Privacy, Authentication/Authorization, Integrity, Non repudiation.
Now in this case since you are interested in only authentication/authorization I would suggest checking the role based pattern by Martin Fowler
> We have to implement permissions in our application.
> Which method do you gurus suggest?
>
> a) Checking if a user has the permissions to do a
> certain action and enabling/disabling/hiding the
> input control accordingly.
Role-based discretionary access control systems, as Kilyas indicated, would suffice. You could likely simply use container-managed security and/or JAAS.
> The drawback i see in this approach is that a user
> who want to hack the application can invoke the
> servlet directly(assuming i am not repating the
> permissions check in the servlet too).
>
You cannot trust a client. This is a bedrock, non-debatable concept in application security. Any client can conceivably be hacked. Every validation must live on the server. No exceptions. You may embed additional validations on the client (better user experience, fewer server trips, etc.). However, these should not be viewed in terms of security but as mentioned before, user experience enhancement.
> b) Checking if a user has the permission to do a
> certain action in servlets. My view is that this does
> not conform to the MVC architecture.
>
Not true. Implement something like the FrontController pattern. As its first check, ensure a user is authenticated. If yes, determine the action to take and whether the user is authorized to perform that action. If yes, continue.
> As always your views will be appreciated.
>
> Regards
- Saish
Saisha at 2007-7-13 11:23:55 >
Thanks for the responses. I did go through some articles regarding FrontController pattern but am still not 100% sure how to implement them.
From the articles i went through this is how i designed my application. Please let me know if this does follow the FrontController pattern.
I have a BaseServlet class and all my other servlets derive from this class. All the baseservlets have the basic methods like verify(which verifies if all the information in the jsp/html page is valid), process(which gets the data from the view page and does the processing accordingly).
This design doesn't eliminate my need for checking if a user has the required permission to enhance user experience. My intention is to do the following.
Say there is a textfield "description" and there are other controls in the page in addition to the username textfield. I would like to display the textfield "description" based on a permission p1.
So i have add something like the following in the jsp page
<% if (permission) { %>
<input type= text name="description" value="test" size=20 maxlength="50">
<% } %>
This works but i would like to know if this is the standard way or is there a better way to achieve the same.
Thanks in advance
> Thanks for the responses. I did go through some
> articles regarding FrontController pattern but am
> still not 100% sure how to implement them.
> From the articles i went through this is how i
> designed my application. Please let me know if this
> does follow the FrontController pattern.
>
FrontController is simple, all or most requests are at least initially handled by a central class. This could be a Servlet or a ServletFilter. Or if the interactions are getting complex and/or you do not want to deal with inheritance, make a dedicated Controller class and have the Servlet or Filter invoke its methods.
> I have a BaseServlet class and all my other servlets
> derive from this class. All the baseservlets have the
> basic methods like verify(which verifies if all the
> information in the jsp/html page is valid),
> process(which gets the data from the view page and
> does the processing accordingly).
>
Totally fine. Though I would encourage you to implement doGet() and doPost() in the BaseServlet and then provide an abstract protected method such as handleRequest(request, response) so that the BaseServlet can enforce workflow (e.g., you authenticate and authorize the request, then call handleRequest()).
> This design doesn't eliminate my need for checking if
> a user has the required permission to enhance user
> experience. My intention is to do the following.
>
That always remains. If you want security, you need to define its constraints and principals.
> Say there is a textfield "description" and there are
> other controls in the page in addition to the
> username textfield. I would like to display the
> textfield "description" based on a permission p1.
> So i have add something like the following in the jsp
> page
> <% if (permission) { %>
> <input type= text name="description" value="test"
> size=20 maxlength="50">
> <% } %>
>
This will work. Another option is to put a Login or User object into HttpSession. It would have methods such as isDisplayAllowed() isAddAllowed() etc. This works for relatively simple situations. When you need more, then move on to full-blown User/Group/Role access control.
> This works but i would like to know if this is the
> standard way or is there a better way to achieve the
> same.
>
Yes. However, you will need to either use J2EE's JAAS (Java Authorization and Authentication Service) and/or a web framework (such as Spring, Struts, Tapestry, etc.) The former is a standard J2EE way to provide security. You still need to define the protected resources and what roles exist to access them. However, JAAS takes over from there. The latter web framework option will depend on what convenience features the framework in question has chosen to offer you.
> Thanks in advance
You are welcome.
- Saish
Saisha at 2007-7-13 11:23:55 >
For completeness, there are also undoubtedly many commercial and open source Java security solutions already out there, if you don't want to invent your own, use JAAS or a web framework's offerings.- Saish
Saisha at 2007-7-13 11:23:55 >
http://www.jot.fm/issues/issue_2002_09/column2
