Changing the client ID for example. Basic security means that the servlet cannot trust anything being requested from a page. You validate the session id (a filter can check if the user has logged in and is authenticated), but I want to prevent an already authenticated client to see products of another client by changing the URL. Or am I reading this wrong: that the session ID is, in and of itself, sufficient to re-authenticate/validate subsequent incoming requests...
I think you are on the right track with something like a MD5 digest to detect tampering. For real protection it seems to me you could encrypt all of the parameters to a single base64 encoded string. Bill
in this case, i think he means 'client' in the following scenario:
the end user is NOT the clientid in question. As an example, the end user might be a sales man, tracking sales leads for numerous "clients", and of course, he should only see his own clients.
So the question is.. once you've passed through container-managed auth, or even custom-coded auth.. how do you prevent an "authenticated" user (our salesman) from viewing someone else's clients, simply by typing in a new clientid into the browser address bar?
I have a system at work where customer service reps should only be able to see and report on certain clients. And also... the actual clients should be able to log in and see certain (very minimal) information. The way I've done it is to create a "User" object when the user first logs in, and from the database I load up all of their permissions. Then on any JSP page, or processing servlet, I'll show links, or hide links, allow a request, or disallow a request, all based on the results of code like exmplified here: So this kind of code can be used to determine if the salesguy is allowed to call a certain action (like: deleteClient). The same technique might be used to restrict which clients he can see. You might build (on login) a List of all the clientids that the sales guy has permission to view. Then every time you are doing processing on clientid, you'd first check to see if the given clientid is found in this sales-guy specific list. If not, you've got someone trying to spoof their way into the system. [ October 13, 2003: Message edited by: Mike Curwen ]