0

I have a requirement where application needs to secure URL for users based on the role user is having and parameter passsed..

Eg: There are four roles PREVIEW_VIEW, PREVIEW_MODIFY, PUBLIC_VIEW, PUBLIC_MODIFY

And URL hit is http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PREVIEW

Lets say User is having only 'PUBLIC_VIEW' and 'PUBLIC_MODIFY' permission.

If user is passing parameter 'recipientType=PREVIEW' then page should be accessible only if user is having 'PREVIEW_MODIFY' permission.

So how to secure URL and parameter together?

i.e Allow this URL(http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PREVIEW) only if user is having PREVIEW_MODIFY permission and allow this URL(http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PUBLIC) only if user is having PUBLIC_MODIFY permission

Thanks

Chetan

Improve this question
2
  • Question is too broad. Essentially, user/role(s) should be maintained in a server side session. Spring security has built in mechanisms for securing resources based on roles. Commented Feb 22, 2016 at 12:18
  • You can use an HMAC to detect URL tampering. You're probably better keeping the recipientType in session though Commented Feb 22, 2016 at 18:58

1 Answer 1

Reset to default
0

to me, this is the wrong way of proceeding. URLs are changable by definition by the client because it's the client itself who decides who or what to call. Therefore, URLs are the worse place to put security information. Besides, if you need to walk this way, I think you can't but leverage encyption.

The server is the one to decide which role(s) the client is associated to, therefore it forces the client to include a parameter with its roles combination. Of course, this MUST be encypted (symmetric encryption will be enough) since the client MUST NOT be able to alter it in anyway.

When the client performs the request, the server retrieves the encrypted attribute and decrypt it to obtain the client's roles.

If you need to make this attribute understandable, you could show it in clear and use an additional cryptographic HASH parameter.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

No doubt Roles are maintained server side. however I am looking for solution something like below: <intercept-url pattern="/editGroups.action?recipientType=PREVIEW.*$" access="hasAnyRole('PREVIEW_MODIFY')" /> <intercept-url pattern="/editGroups.action?recipientType=PUBLIC.*$" access="hasAnyRole('PUBLIC_MODIFY')" />

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.