struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gabriel Belingueres <belingue...@gmail.com>
Subject Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It
Date Mon, 27 Feb 2012 15:50:52 GMT
I don't know if storing only immutable state in session is a "Best
Practice" (if there exists such a thing as a best practice).

Consider frameworks like JBoss Seam or Spring Web Flow with their
support for conversations, which is basically mutable state stored in
session scope.

The case seems to be that people are using those sensible, managed by
the framework, dependency injected objects (with their XXXAware
interfaces) as first class properties of their actions (by
implementing their corresponding getter). Combined with the power of
the parameters interceptor, those unwanted aliases gets hard to
manage.

One way to solve the problem would require avoid getting direct
references to those framework objects, however this requires that the
framework do more stuff for us.

For example, JBoss Seam has those @In @Out annotation for injection
and outjection. These are handy because you no longer need to have the
actual scope object reference in your actions.

2012/2/27 Greg Lindholm <greg.lindholm@gmail.com>:
> A Best Practice for the Session is to only store Immutable object in the
> session.  This would eliminate the SessionAware issue plus it can also be
> important for clustered servers.
>
>
> On Tue, Feb 21, 2012 at 9:09 AM, bphillips@ku.edu <bphillips@ku.edu> wrote:
>
>> I was researching the SessionAware interface as I'm planning on adding a
>> tutorial on how to use the HTTP Session object from within a Struts Action
>> class to the tutorials at:
>> https://cwiki.apache.org/confluence/display/WW/Getting+Started
>> https://cwiki.apache.org/confluence/display/WW/Getting+Started .
>>
>> I ran across this
>> http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html
>> blog post  and  https://issues.apache.org/jira/browse/WW-3631 Struts 2
>> JIRA
>> issue  that discuss a security vulnerability when using SessionAware.
>>
>> I'd like to include in the tutorial the best practices for mitigating this
>> vulnerability.  Here is what I think programmers who use SessionAware in
>> their Action class should do to mitigate this vulnerability:
>>
>> 1.  Do not create a public Map<String, Object> getSession() method in the
>> Action class
>>
>> 2.  Also implement the ParameterNameAware interface and override its
>> acceptableParameterName method as follows:
>>
>>      public boolean acceptableParameterName(String parameterName) {
>>
>>                boolean allowedParameterName = true ;
>>
>>                if ( parameterName.contains("session")  ||
>> parameterName.contains("request") ) {
>>
>>                        allowedParameterName = false ;
>>
>>                }
>>
>>                return allowedParameterName;
>>        }
>>
>> I'd certainly appreciate any feedback on best practices to follow when
>> implementing the SessionAware interface and how to mitigate the security
>> vulnerability.
>>
>> Thank You,
>>
>> Bruce Phillips
>>
>>
>>
>> --
>> View this message in context:
>> http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5502292.html
>> Sent from the Struts - User mailing list archive at Nabble.com.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message