I got a question about security for my simple REST API application.
I implemented check for security and on every attempt to read/update data from/in database (this is a simple HttpSession session= request.getSession(true); and check - if this is a new session or old and if it equals session id fro cookies).
But the thing is - even if this is a valid user and valid session - I got an URL which make a user to ignore other user:
http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/1/2
I could change 2 users id (last 2 numbers) and send the same request to make other system user to ignore somebody else, for example: http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/3/4
How can I solve this problem?
I googled a lot (for example - RESTful Authentication and related articles, including security questions). But what is the easiest way to solve this problem? I quite a beginner, so I'll be happy to find the simpliest solutions.
Thank you!
Any authentication mechanism allows you to handle this, provided that users don't share the same credentials. Even with Basic AUTH, you'll be able to determine who authenticated.
If the logged in user is id=1, then he can perform http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/1/2, but he can't ignore people for any other id. In fact, since you get the user id from the database, you don't even need the first parameter. It would be ignoreFriend/2, meaning "I want to ignore the person whose id I'm giving as a parameter".
Related
As the title says is there a cannonical safe way to implement login in GRPC (I'm using Java). I'm currently sending the login and password over TLS, checking them at the server and sending back a Session ID that needs to be sent with each message but I was wondering if there is a better/simpler way to do this.
Yes/No, possibly... If your API is not public then you could consider using a basic ApiKey instead of a session id.
If it's public then you have bigger things to consider.
With your current implementation, how long is the Session ID valid for?
What happens when the Session ID expires?
How do you refresh the Session ID?
How do you revoke the Session ID?
Take a look at the documentation here: https://grpc.io/docs/guides/auth/ for some ideas.
I'd also recommend reading up on oAuth2.
I am writing a custom Java webscript that accepts document noderef and an external username (string value) as parameters. I have auditing enabled and the audit log shows access to the document when I call the webscript. Now I wanted to know if it is possible to modify the audit trail so that when it shows the log for that particular document it also shows the name of the external user.
webscript url: http://localhost:8080/alfresco/service/node/{noderef}/user/{user}
On calling this I get the following output in log:
Extracted audit data:
Application: AuditApplication[ name=alfresco-access, id=1, disabledPathsId=2]
Values:
/alfresco-access/transaction/sub-actions=readContent
/alfresco-access/transaction/action=READ
/alfresco-access/transaction/node=workspace://SpacesStore/c21db432-4ad6-4af2-8bcf-78bc89724afe
/alfresco-access/transaction/type=cm:content
/alfresco-access/transaction/path=/app:company_home/app:shared/cm:audit-services-context.xml
/alfresco-access/transaction/user=admin
New Data:
/alfresco-access/transaction/sub-actions=readContent
/alfresco-access/transaction/action=READ
/alfresco-access/transaction/type=cm:content
/alfresco-access/transaction/user=admin
/alfresco-access/transaction/path=/app:company_home/app:shared/cm:audit-services-context.xml
I want to store the {user} also in the audit trail.
You can try to use AuthenticationUtil.setFullyAuthenticatedUser. I think this should help you. But I didn't test this.
You probably do not want to do that, at least not in the way you describe, not without making extra security precautions.
This goes IMHO opinion against security standards, if admin needs to read a document,the operation needs to be logged with his username, if a normal user needs to access a document, he needs to be properly authenticated for that operation.
Judging from the little context I have I would say this is actually an integration with some other app that does not share SSO with Alfresco. So I would recommend a solution of the following :
Use proper SSO between Alfresco and your application, have the concerned user ping the right endpoint in Alfresco and let SSO authenticate the request properly for you.
Use a shared secret (something like a shared passphrase to encode encode the authority name in the request + proper authentication subsystem or request filter to handle that) or a key pair (something like securecomms between solr and alfresco) to be able to securely pass on authority information to the request
Use a system account (preferably not admin, but one that is dedicated to this usecase/application integration) to generate a valid alf_ticket for the user in question, and have your app attach that ticket to the request. (Of course, your "impersonate" webscript would need to check for the right system/integration username, before running the snippet to get the alf_ticket from a runAsSystem block). In this case, I would also recommend not using the admin account for this but rather use a user with no permissions at all except for this usecase.
If you are going to opt for the quick implementation that you have, I would recommend at least the following :
You need to make sure that not any user can ping that webscript and that only admin/system user can actually access that webscript.
You probably should log the whole impersonation operation in the audit trail (either using the same audit entry or a separate one), so that it would be clear that this is actually an operation that was made on behalf of the user and not directly by the user himself
If you use the webscript in question for anything other than reading the content of the node (Can be the case also if you have a onReadContent behaviour that has some nasty AuthenticationUtil.setFullyAuthenticatedUser as well), and you require that operation to be logged as system/originally authenticated user, You will probably have a hard time doing that... and you should switch to a more robust approach!
I want to access Subscription's REST,
For instance ;
/store/{storeId}/subscription?q=byBuyerIdAndSubscriptionType
Ref:https://www-01.ibm.com/support/knowledgecenter/SSZLC2_7.0.0/com.ibm.commerce.starterstores.doc/code/rsm_subscription_fep8.htm?lang=en
but if I explicitly pass member_id of the buyer of subscription to the REST call on some other user's login, it gives me authentication error and doesn't return anything.
User 2581 does not have the authority to perform action "Display" on resource "com.ibm.commerce.subscription.facade.server.authorization.SubscriptionTypeProtectableProxy" for command "Display".
What should I do to byPass this authentication and get desired data?
You could try giving this line in your wc-rest-security.xml file.
<partialAuthentication resource="store/{storeId}/" method="GET" enabled="false"/>
You could also be specific and mention
store/{storeId}/subscription
instead of
store/{storeId}/
I haven't verified the above line, but I am pretty sure the solution to your issue lies in configuring the wc-rest-security.xml file. Link to the IBM Documentation on this : https://www-01.ibm.com/support/knowledgecenter/SSZLC2_8.0.0/com.ibm.commerce.webservices.doc/tasks/twvrestpartialauth.htm
You shouldn't. For obvious reasons.
You should not allow access to other users' subscription data. If what you're trying to accomplish is to allow specific users access to other users' data (e.g. a CSR), then you need to solve this through access control policies and appropriate user roles.
i would like to have a discussing with you about a login pattern and ask for your input.
Especially my idea is used for a Androird Applicaion
PHP -> Native Android with AsyncHttpClient -> Activity
I dont need help for the authentication or the login procedure itself. Just about the process afterwards, if a user is already authenticated.
Imaging your having one Activity in Andriod with Login fields, thats refers after a right Login to another ShowData-Activity.
The Cookie of the Weberver (Apache + PHP) is stored in the SharedPreferences.
If the user is coming back to the application but is still logged in, as his PHPSessionID is still valid, how can we bypass the login Activity and redirect directly to the Data-Activity.
Should there be a second cookie that stores something like "logged_in", "true"
and the Android APP then checks
Pseudocode:
(If logged_in-cookie == true) { Start data-activity}
Or should there be another call to a site on the webserver that returns a true value?
Pseudo:
If(webseite_response==true){redirect to data activity}
Im not sure about the Best practise even under a security point of view.
Even if the user session is not active, someone could just send an "true" to the Andorid application, and then the user would be in the Data-Activity (even if no data is showed there)
Looking forward to your answers.
Best regards
Fabian
I would suggest storing two values in the shared preference
1)a boolean for the logged in status
2)the cookie
The during app startup,check if logged in status is true,if true you can then verify the cookie.If the cookie is valid,proceed,if its not valid,display the login interface.
Seems like a very nice and easy solution.
Just have a look at Facebook SDK for android and see how they have implemented the authentication mechanism. It should help.
https://developers.facebook.com/docs/android/
I am developing an app for Android which allow users making comments. The problem is: if someone discovered the PHP file of my server which receive a comment and save it in a database this person would have a total control to save unlimited comments. So... How could I avoid this?
I don't know so much of security but... Could it be possible solve it with hash, keys or anything? How?
You could use Oauth and send a token with each request here a example link Oauth2 or you can use a more simple method like:
User log in you app then you create in a table a record with is id and random string
Return this string to the user
When user do request add this string
On PHP verify thata string exists and the id is correct then insert the comment else nothing