> -----Original Message----- > From: struts Dude [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 26, 2004 7:47 PM > To: Struts Users Mailing List > Subject: Re: Question about authentication > > > > ----- Original Message ----- > From: "David Suarez" <[EMAIL PROTECTED]> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > Sent: Friday, August 27, 2004 2:35 AM > Subject: RE: Question about authentication > > > > My question is, does it really matter? Does it really represent a > > security issue? > > Ummm I think it does, through bad design and coding. As I just > found out yesterday that I can copy and past a link from an > admin JSP page > to a new browser, press enter, then files stored on server > listed on page. > I was surprised since bean shud be empty and I didn't log in > 1st but .... > it's not my fault, it's struts fault. Yes, it's due to bad > coding and design > but > I would get away with these if I simply restrict access to JSP using > declarative > authentication in whatever ...
Yes you could. However, you might still be open to path mangling attacks, which the container might allow (ie security bug in container). It's much easier to implement the no outside WEB-INF access then trieng to handle all the different ways a url can be represented.. so it's safer. Also, since web.xml is modifiable.. putting it under WEB-INF leads to fewer fat finger mistakes... and finally... just because you don't have a role in your role table, doesn't mean an attacker can't put it their.. opening everything up. > > BTW, in case u wandering what I did wrong, I basically use > ProcessAction > to execute business bean that doesn't require a form bean for > input but > return form bean to populate table in JSP, so ... yeah I get lucky. > > > Am I missing something? Does viewing a page structure with no data > > represent a security issue? yes, it lets a savvy attacker know what fields in the database you have... then all they have to do is figure out table and database names, and then try a sql injection attack. Security is bet done in layers... the first being never let them see what they don't need to see. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
