jQuery in Action, 2nd edition*
The moose likes Struts and the fly likes Struts 2 and Authentication Interceptor - is this secure? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts 2 and Authentication Interceptor - is this secure?" Watch "Struts 2 and Authentication Interceptor - is this secure?" New topic
Author

Struts 2 and Authentication Interceptor - is this secure?

Annie Jones
Greenhorn

Joined: Nov 05, 2007
Posts: 10
Hi,

I currently have an application that uses a custom interceptor to check whether a User object is in the Session. If the object exists then I assume the user has been previously authenticated. The way that the User object is first put into the Session is from a Login Action (once the username and password are determined to be a valid login in the DB).

This User object contains:

int userId;
String username;
String password;

I'm concerned that storing this User object in the Session is not secure.

Additionally, I am concerned that my interceptor does not re-validate the credentials every time a request to a secure part of the site is made - all it does is check that a User object exists in the Session.

Is there a better or more standard/secure approach to this problem? I'd really like someone with some good experience to help me out here.

Thanks!
Annie
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Technically these aren't Struts questions, they're generic regarding security.

Users don't have direct access to session objects (unless you give them access to them, anyway, but that would be unusual). Unless someone has access to the server and can access session memory somehow, it's secure enough.

By re-validating the credentials do you mean checking against the DB to see if the password is still correct? Unless someone on the server-side changes the password in the DB without changing the password of the user object in session, this is (essentially) impossible.

It is, however, possibly reasonable to check if that user is still allowed access to the system--for example, if an employee quits some employers will *immediately* lock them out of the system to prevent them from accessing now-sensitive data. If your application has that kind of requirement then it *might* be reasonable to continuously check for access rights.
Annie Jones
Greenhorn

Joined: Nov 05, 2007
Posts: 10
Yes, I meant re-validating against the database each time a secure part of the site is accessed.

Thanks so much for your response - really clear and well explained, thanks a lot!
Annie Jones
Greenhorn

Joined: Nov 05, 2007
Posts: 10
Oh, one other thing - might it be better to store a simple Integer object (representing the user ID) in the Session saying that the user is authenticated - rather than storing the entire User object with the username and password.

This would save some memory, especially if the username and password are not required after the initial login.

What do you think?
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

I think the savings would amount to < 1k per session object, which hardly seems an issue. It doesn't really matter, though, if you truly never need any information from the user object.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Struts 2 and Authentication Interceptor - is this secure?
 
Similar Threads
struts2: what kicks in first- the interceptors or the form's validation?
struts2 login interceptor not finding session attribute of user details.
Struts 2 addActionError problem
creating secure Java apps
Struts 2 - Interceptor V/S Action for checking login...