struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "El Harouchi, Jaafar [IT]" <>
Subject RE: [OT] Application Security
Date Wed, 11 Jun 2003 13:27:30 GMT
So what problem are you trying to address:
	1) Users accessing data they are not entitled to access?
	2) Users accessing data they are entitled to access, but in an automated manner which allows
them to datamine, etc?
	3) General hacks?

#1 is what we usually deal with, storing permissions and validating them against each resource
they try to access.  There are a number of mechanisms, just search the archive for authentication
and authorization.

#2 Is more of a workflow issue and sounds like a business requirement, like enforcing a maximum
number of resources which can be accessed within a given period of time.

#3 If your app is well designed (proper authentication/entitlements, validations, separation
of layers) you should be ok.  ActionForms act as buffers and provide a layer of security.
 Make sure that users cannot access jsps directly... (I'm hoping someone else will give a
more complete answer).


-----Original Message-----
From: Denis Avdic []
Sent: Wednesday, June 11, 2003 9:15 AM
To: Struts Users Mailing List
Subject: Re: [OT] Application Security

Paul Thomas wrote:

> On 10/06/2003 17:47 Denis Avdic wrote:
>> Hello,
>> This is really off topic, but since everyone is working in similar 
>> conditions I though I'd ask you all a question.
>> How is everyone handling security in your applications?
>> More specifically, we have a site where someone violated our 
>> acceptable use policy and basically tried to retrieve all our data 
>> through a previously unseen hole.  Now, we patched it and we can 
>> definitely go on and keep patching holes when we find them, but I 
>> would like to set up something to prevent that from happening in the 
>> first place.  I am talking about setting up an Intrusion detection 
>> system or something similar, where I could be at least alerted in 
>> real time that something funky is happening, and that I don't have to 
>> accidentaly stumble across the action in the log file.  How are you 
>> (if you are) handling this?  Are there open source tools to set this 
>> up?  Commercial?
> Sounds like you're following the M$ security model - throw any old 
> crap out of the door then patch, patch, patch ... Still, Bill Gates 
> has done very nicely out of it so maybe this method has commercial 
> benefits.
> Seriously though, how do you expect anyone to be able to give an 
> answer to this? At what level did the intrusion take place? OS? 
> Service? Application server? Application?
I'll ignore the thinly veiled insult there.

What our site is basically about is that people can access some 
information retrieved from a database.   This person registered and 
basically went and accessed all of the profiles stored on our server, 
sequentialy, using an automated process (2 per second).  This was in 
violation of our acceptable use policy.  My question is what do people 
use if something like this happens, or how do they handle any other 
intrusions on all other levels.


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message