2

Page parameter (in Seam) or GET parameter (general) are often mentioned as a proper means to transfer information from one view to another. But obviously it is not a good idea to have sensitive data in the url, e.g //myserver/show.jsf?userId=12, since it is easy to manipulate these params and look at data someone is not permitted to look at.

So far I've been using what examples and literature show (couse until now was not important):

<s:link..>
<f:param value="#{user.id}" name="userId" /> 
</s:link>

in the JSF-file and in the according target page.xml

<param name="userId" value="#{userHome.userId}" />

I am interested in two things (still kind of new to Seam):

1) What different possible strategies of securing unpermitted access, to e.g. different user accounts, are you using, if you want to stick to page parameter? I'm sure some of you have been facing that challenge already. And what are the pros and cons of these strategies.

2) I want to make use of the Seam EntityHome objects here and there in the project since it is a comfortable handling of entities and kind of a DAO structure - but how to efficiently work with HomeObjects if not using page parameter?

Would appreciate to some thoughts and experiences from you guys. Thanks a lot.

josh

joshd
  • 91
  • 9

1 Answers1

1

GET parameters are not inherently unsafe, all REST services rely on data being put in the URL. Parameters (GET or POST) are unsafe if your user detail page, in your example, does not check if you actually have access to user account "12". Also, don't think POST parameters are any harder to manipulate than GET parameters.

So, your code should check if you are entitled to view sensitive data. To handle unauthorized access, you can just throw an org.jboss.seam.security.AuthorizationException in the setUserId() method if the user is setting an ID he is not entitled to. Launching this exception makes Seam follow the exception handling mechanism described in pages.xml (by default it redirects to the /error.xhtml page with an error message).

@In Identity identity;  // The standard Seam Identity component
@In Long sessionUserId; // You should outject this during user login

public void setUserId(Long userId) {
  // Grant access is user is an admin or his id is the same as the one
  // he is trying to set. Otherwise, exception.
  if (!identity.hasRole('admin') && !sessionUserId.equals(userId)) {
    throw new AuthorizationException("Not authorized");
  }
  this.userId = userId;
}
EmirCalabuch
  • 4,756
  • 1
  • 25
  • 20