Re: JSP Security - Limiting URL's

If you have a site (or part of a site) where users are supposed to access pages in a particular order, this is THE way to solve the problem. I call this "flow control" as opposed to access control. Essentially, you set up a state machine on the server side that controls the transition to the next page. One nice side-effect is that there only a single URL for the entire site.

The biggest downside to this model is that you can't just link into any page within the site. The only way to certain pages is to go through all the steps. This will also make it difficult for spiders to index your site, as some of them give up when many pages share the same URL. In addition, you are quite likely to have problems with the 'web application firewall' products, as many use the URL as a key for what policy to enforce.

So, the article is right on. I do have a few minor comments below on the implementation.

I found the author's implementation a little difficult to follow. Trying to centralize the state machine can make things within a web app real complicated. I think a more OO way is to implement put each page in charge of deciding which pages can send requests to it. Of course this depends on the size and complexity of the state machine and how often you think it'll change.

If you look closely at the article, you'll see that the author had to work hard to deal with the "multiple window" problem. State machines don't like getting requests out of order, so if you have two windows open at the same time, everything gets botched up. The author invented a "smID" parameter that has to go on every page to deal with this -- then calls it a "feature."

--Jeff

Jeff Williams
jeff.williams@aspectsecurity.com
Aspect Security, Inc.
www.aspectsecurity.com

• Original Message ----- From: securityarchitect@hush.com To: webappsec@securityfocus.com Sent: Monday, December 09, 2002 5:42 PM Subject: JSP Security - Limiting URL's

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://www.onjava.com/pub/a/onjava/2001/06/27/java_security.html

Can anyone see a downside to this ?

Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Mon Dec 9 21:43:45 2002