I am working on an existing Web based application.
Now, I need to secure the application against what I think is called url hacking. For instance, if the customer with customerId 1 is logged in and viewing his profile, the following http get variable will be visible in the address field: customerId=1.
I need to prevent a customer from being able to set customerId=2 and see the profile of another customer.
The problem is that, the application is already in production and in good working condition, so the changes should be minimal with respect to this change.
How is this best achieved?
Any sugggestions/comments?
why do you give the id in the URL when the user should only be allowed to change his profile? I don't see any need for this. Rather get the current user from SecurityConext and display its profile on an URL without the id.
with the new information you gave in the comments I suggest sth. like this:
just check if the given orderid in the URL belongs to the current user.
You're saying you use "normal web based Application" so I assume Servlet/jsp based. In your servlet you would do something like this:
int orderId = Integer.parseInt(request.getParameter("orderId"));
String username = request.getUserPrincipal().getName();
/*now you need to check if username match with the username of the order e.g. by using hibernate to get the order by id and check its user and if not throw PermissionDeniedException or similiar*/
95% agree with Korgen's answer above.
5% - if you want to allow administrator access to edit user profiles using the same functionality just switch to UUID to identify edited user.
Related
I have a project based on documentum, and after user login I'd like to know what's his role.
The reason is that there is a requirment for a menu-action to be enabled just for users who has the specific role.
Assume I have the username (being taken from the login page), how can I do this?
Do I have to put this data on session once the user logged in? I'd prefer to have a one line code that could be called from the client side (javascript) and on the fly doing the disabling of the menu action.
When you login at that service u can create a JSON which will have value of which all menus are enabled for the logged in user.Now when the screen loads with menus u can use this JSON data to hide/display or enable/disable the menu items.
Or else u can write a scriplet tag in the the disables attribute and in the scriplet tag you can call a class static method which returns true or false based in the user details sent.
You can use the following condition to determine the role of a user. I have provided it as a DQL, but you can use the logic to fit it in your code.
select group_name from dm_group where any i_all_users_names = "user_name"
Hope this helps.
Problem:
I am logging into a virtual machine(RDC) using the below credentials:
The user is part of a domain group called as teldept
user:147852 pass:helloworld
when i try to get the user details from java application it gives me : 147852
but when i click on start menu at the top i can see my Name displayed.
How is this done? i want to access this name from java application
I use the below snippet:
System.getProperty("user.name");
Whatever the above snippet gives me is correct as aper oracle docs.
I am logging in with ID: 147852 and above snippet gives me 14852
but some how in windows this ID:147852 is mapped with my name so only in the start menu in XP i am getting my name displyed instead of 147852. we need to know how this mapping is done between the ID & Name . I am guessing it has something to do with Domain or some network logic which i am not good with .
The name shown on XP's start menu is not the logon name. It's Full Name Corresponding to the Logon Name. Not sure if your login is a local login or a domain login. If it's a local login, go to Admin Tools -> Computer Management -> Users and Groups -> Here against your username (147852), you will find a full name.
If your login is a domain login, you can similarly lookup your name in Active Directory - or search for it at other places.
This is very OS Specific and cannot be found by Java.
You will need to do this using JNI and Windows API - Calling GetUserNameEx or NetUserGetInfo depending on type of user.
If you just want to get your logon name (147852), calling com.sun.security.auth.module.NTSystem().getName is a better way than using System.getProperty("user.name")
From this SO question, you can use:
System.getProperty("user.name");
to return the currently logged in user. This will return the username string. I believe this is what you're asking for, but your question is rather unclear.
I have a template accountlist.scala.html looking like this:
#(accounts: models.domain.AccountList)
#titlebar = {<p>some html</p>}
#content = {
#for(account <- accounts) {
<p>#account.name</p>
}
}
#main(titlebar)(content)
... and another template account.scala.html like this:
#(account: models.domain.Account)
#titlebar = {<p>#account.name</p>}
#content = {
#for(transaction <- account.getTransactions()) {
<p>#transaction.detail</p>
}
}
#main(titlebar)(content)
From both of them I am invoking the template main.scala.html.
I have access to the entire Account POJO in the first view accountlist.scala.html, so really there is no need for me to invoke the server to get the details of the account when I go to the view in which I display the details. I would just like to change view on the client side. How could I call the second view account.scala.html from the view accountlist.scala.html a user clicks on an account in the list? I am ready to change the templates as needed.
I have provided a previous answer, which is still available at the end of this post. From your comments, however I understand that you are asking for something else without understanding how dangerous it is.
There are three ways of handling your use case, let's start with the worst one.
A stateful web application
If you have loaded data into a Pojo from some data source and you want to re-use the Pojo between multiple requests, what you are trying to do is to implement some kind of client-state on the server, such as a cache. Web applications have been developed in this way for long time and this was the source of major bugs and errors. What happens if the underlying account data in the database is updated between one http request and the following? Your client won't see it, because it use cached data. Additionally, what happens when the user performs a back in his browser? How do you get notified on the server side so you keep track of where the user is in his navigation flow? For these and others reasons, Play! is designed to be stateless. If you are really into web applications, you probably need to read about what is the REST architectural style.
A stateless web application
In a stateless web applications, you are not allowed to keep data between two http requests, so you have two ways to handle it:
Generate the user interface in a single shot
This is the approach which you can use when your account data is reduced. You embed all the necessary data from each account into your page and you generate the view, which you keep hidden and you show only when the user clicks. Please note that you can generate the HTML on the server side and with Javascript makes only certain part of your DOM visible, or just transfer a JSON representation of your accounts and use some kind of templating library to build the necessary UI directly on the client
Generate the user interface when required
This approach becomes necessary when the account data structure contains too many informations, and you don't want to transfer all this information for all the accounts on the client at first. For example, if you know the user is going to be interested in seeing the details only of very few accounts, you want to require the details only when the user asks for it.
For example, in your list of accounts you will have a button associated with each account, called details and you will use the account id to send a new request to the server.
#(accounts: models.domain.AccountList)
#titlebar = {<p>some html</p>}
#content = {
#for(account <- accounts) {
<p>#account.name <button class="details" href="#routes.Controllers.account(account.id)">details</button></p>
}
}
Please note that you can also generate the user interface on the client side, but you will still need to retrieve it from the server the data structures when the user clicks on the button. This will ensure that the user retrieves the last available state of the account.
Old answer
If your goal is to reuse your views, Play views are nothing else then Scala classes, so you can import them:
#import packagename._
and then you use it in another template:
#for(account <- accounts) {
#account(account)
}
The question reveals a misunderstanding of play framework templates. When compiling the play project the template code is transformed to html, css and javascript.
You can not "invoke"/link another template showing the account transactions from a href attribute of your Account row. However, you can do any of the following:
In case you have loaded all transactions from all accounts to the client in one go: extend the template to generate separate <div> sections for each account showing the transactions. Also generate javascript to 1) hide the overview div and 2) show the specific transaction div when clicking on one of the accounts in the overview. Please see the knockout library proposed by Edmondo1984 or the accordion or tabs in twitter bootstrap.
In case you only load the account overview from the server. Generate a link such as this one href="#routes.Controllers.account(account.id)" (see Edmondo1984 answer) and make another template to view this data.
Since the question concerned a case in which you got all data from the server, go by option 1.
I am using LinkedIn-J. My application authenticates without problem, I get data from the user - even their first name, last name etc.
Person profile = client.getProfileForCurrentUser();
profile.getFirstName();
However, when I try to get the list of educations, the Educations object returned is null:
Educations educations = profile.getEducations();
educations == null
What can be the error? Should my application ask for special permissions to be granted?
I've never used the Linkedin-j api before, but according to the LinkedIn api you get firstname, lastname, headline, and some url by default.
So I believe you need to specify that you want education returned. I don't know how to do that in LinkedIn-J though.
http://developer.linkedin.com/documents/profile-api
For example, with the rest api you'd use this uri:
http://api.linkedin.com/v1/people/id=12345:(first-name,last-name, educations)
Using the LinkedIn J library, it seems like you have to add profile fields using Set as a parameter to one of their many methods in the client.
Example of a method you could call of many (if you have a connected user):
public Person getProfileForCurrentUser(Set<ProfileField> profileFields)
ProfileField is an Enum located here:
import com.google.code.linkedinapi.client.enumeration.ProfileField;
I am trying to map my requests in a special way to achieve a very simple purpose.
Say the root website is abc.com and has several users. Each user has a home page, admin page, requests page, etc.
Let us assume we have users user1 and user 2
I want the urls to be coded as:
abc.com/user1/admin
abc.com/user1/home
abc.com/user1/requests
So basically abc.com/user1/home is the home page for user 1 and abc.com/user1/admin is the the admin page for user 1.
I have tried using the request mapping in wicket using named parameters etc. I can encode my URL'S as abc.com/home/user1 but I can not get the encoding I desire.
Any help is welcome.
Thanks
Anant
I'm just starting with the version 1.5 of wicket but I think the new mapping system will resolve your point quite easily :
mountPage("{userCode}/home", UserHomePage.class);
mountPage("{userCode}/admin", UserAdminPage.class);
Then, in the page you just have to retrieve the page parameter to load your model.
String userCode = pageParameter.get("userCode").toString();