如何防止未经授权的用户删除域模型中的对象?
我有类似的域模型
- 1)用户。每个用户都有很多城市。
@OneToMany(targetEntity=adv.domain.City.class...) - 2) 城市。每个城市都有很多区
@OneToMany(targetEntity=adv.domain.Distinct.class) - 3) Distintc
我的目标是当用户在浏览器中按下删除按钮时删除不同的。之后控制器获取不同的 id 并将其传递到业务层。其中方法 DistinctService.deleteDistinct(Long uniqueId) 应该将 deliting 委托给 DAO 层。
所以我的问题是在哪里设置安全限制以及实现它的最佳方法是什么。我想确保我删除了真实用户的不同,即城市的真正所有者,而城市是不同的真正所有者。 因此,除了所有者之外,没有人无法使用 localhost/deleteDistinct/5 这样的简单 url 来删除 ditinct。
我可以从控制器中的 httpSession 获取用户并将其传递到业务层。
之后,我可以获得该用户的所有城市,并迭代它们以确保 citie.id == unique.city_id 的城市,然后删除 unique。
但在我看来这是相当可笑的。
我也可以像这样编写sql查询...
delete from
t_distinct
where
t_distinct.city_id in (
select
t_city.id
from
t_city
left join t_user on t_user.id = t_city.owner_id
where
t_user.id = ?
)
and t_distinct.id = ?
那么添加这样的限制的最佳实践是什么。
顺便说一句,我正在使用 Hibernate、Spring、Spring MVC..
谢谢
I got similar domain model
- 1) User. Every user got many cities.
@OneToMany(targetEntity=adv.domain.City.class...) - 2) City. Every city got many districts
@OneToMany(targetEntity=adv.domain.Distinct.class) - 3) Distintc
My goal is to delete distinct when user press delete button in browser. After that controller get id of distinct and pass it to bussiness layer. Where method DistinctService.deleteDistinct(Long distinctId) should delegate deliting to
DAO layer.
So my question is where to put security restrictions and what is the best way to accomplish it. I want to be sure that i delete distinct of the real user, that is the real owner of city, and city is the real owner of distinct.
So nobody exept the owner can't delete ditinct using simple url like localhost/deleteDistinct/5.
I can get user from httpSession in my controller and pass it to bussiness layer.
After that i can get all cities of this user and itrate over them to be sure, that of the citie.id == distinct.city_id and then delete distinct.
But it's rather ridiculous in my opinion.
Also i can write sql query like this ...
delete from
t_distinct
where
t_distinct.city_id in (
select
t_city.id
from
t_city
left join t_user on t_user.id = t_city.owner_id
where
t_user.id = ?
)
and t_distinct.id = ?
So what is the best practice to add restrictions like this.
I'm using Hibernate, Spring, Spring MVC by the way..
Thank you
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您要求的不是 SQL 注入预防。您需要确保尝试删除的用户已获得授权。
只要您检查访问页面的用户是否有权删除您尝试删除的行(这将在业务层中检查),并且仅在用户经过身份验证并有权执行该操作时才允许删除命令。
What you're asking for is not SQL Injection prevention. You need to ensure the user attempting the deletion is authorized.
As long as you check that the user accessing the page has the rights to delete the row your trying to delete (this would be checked in the Business layer), and ONLY allow the delete command if the user is authenticated and authorized to perform the action.
使用hibernate你不必担心sql注入。它始终使用准备好的语句,因此您是安全的。
至于你的具体情况,这不是sql注入。但为了防止这种情况发生,请在控制器中进行验证 - 当前登录的用户是否拥有所需的 ID。
根据应用程序的大小,您可以实现一些通用的安全方案,包括所有权设置,并应用它(使用 AOP)。
With hibernate you don't have to worry about sql injection. It always uses prepared statements, so you are safe.
As for your concrete case, this is not an sql injection. But to prevent it, make validation in the controller - whether the currently logged user owns the desired ID.
Depending on the size of the application, you can implement some general security scheme, with ownership settings, and apply it (using AOP).
我知道我想确定用户是图书的真正所有者问题是如何实现它。是的,我知道用户已经过身份验证和授权。但另一个授权用户可以轻松删除另一个用户的页面。
这可以这样做...
User userFromHttpSession ...
Long bookId = 加载页面,获取bookId,加载书籍,获取bookId
List books = userFromHttpSession.getBooks();
...迭代书籍并找出其中一本书是否为 book.id == bookId
...那么如果书的所有者是httpSession的所有者,那么继续删除
就像太多的sql查询,太多的代码,可能有更好的解决方案。不管怎样,谢谢你的回答
I understand that i want to be sure, the the user is real owner of Book The question was how to accomplish it. And yes, i know that user is authenticated and authorized. But another authorized user can easy delete pages of another user.
This can be done like this...
User userFromHttpSession ...
Long bookId = load page, get bookId, load book, get bookId
List books = userFromHttpSession.getBooks();
... iterate over books and find out if one of the book.id == bookId
... then if book owner is owner of httpSession, then proceed Delete
It's like too many sql queries, and too many code, probably there are better solution. Anyway thank you for your answers
只需使用您的头脑,在将外部(或内部)源中的所有内容放入 SQL 语句之前引用转义*,并在数据进入时检查数据。或者,使用准备好的语句。
*编辑:“quote-escape”是指类似 PHP 的函数
mysql_escape_string()Just use your head, quote-escape* everything from an outside (or inside for that matter) source before it gets put in an SQL statement, and check data as it goes in. Or, use prepared statements.
*Edit: By "quote-escape" I meant functions like PHP's
mysql_escape_string()