I would like to enforce a dynamic parameter (time-stamp) with every url of the application
I would like to use this parameter to solve the iterative problem of invoking the browser back button or a url from the history by comparing the current page time-stamp with the invoked URL time-stamp.
Any clue is Highly appreciated
Hossam Khalil
What's the "current page timestamp"? Do you mean by checking against the server's current time?
You'd need to have a timestamp in every link, which could be done with a custom tag.
Each form would need a timestamp, which could also be done via custom tag.
A custom request processor would be the Struts 1-way, although you may just be able to use a filter.
You may need to provide more details regarding what exact problem you're trying to solve.
Related
I'm using origami to digitaly sign a pdf.
Is it possible to use OpenSSL::PKCS7.sign to sign a pdf and pass as a parameter or as an attribute an specific date to be the date of signing?
If not is there any way of accomplishing this?
I have been searching but found nothing on it.
What you want makes no sense from security point of view. You are actually asking "how do I spoof signing time in my documents". Well, you can't do this without capturing control over one of authorized TSA (timestamping authorities) in one way or another.
Update: In general it's possible to put any time to PDF signature as one of its attributes. As I look into Origami's source code, I don't see any way to put time to the signature.
Guys i'have a question.
I'm currently buiding a wizard that has 5 step's until being completed.
The user starts by the first step where he generates the entry id.
From there on i start passing the id over the url like this:
host.com/{controller}/{view}/{id}
This is how my url looks like after the step1,
------- currently at view step2 passing the id=120
host.com/{controller}/step2/120
This isn't safe because as you know, anyone can change the id and affect other users's entries. Ofc, it can be quickly solved by reading if the authenticated user is proprietary of the entry that he must be trying to access in each view.
Now, my question is... is there a better way to do this?
Any tips for future work?
Is what i'm doing enougth?
(begginer doubt praying for a expert awnser)
Cheers
...It can be quickly solved by reading if the authenticated user is proprietary of the entry that he must be trying to access in each view.
Yes, that's true. You should start there.
Here are some other things that you could do:
You could make your entry ids Guids instead, so that a would-be hacker would never try to guess an entry id.
Because using GET for sensitive data is a bad idea, you could, as endyourif suggests, pass the entry ids with hidden fields instead.
If you are truly concerned about the user altering the ID in the URL, then you must spend the additional time adding an "isOwnedBy" like functionality.
As an additional security measure, you could pass it via a hidden variable in the form so it is at least not as easy to change as well.
Edit: I like #LeffeBrune's suggestion of encrypting the idea as well. However, I still suggest that the validation is performed on the function to ensure the user owns the object. It's just good practice.
Im wondering how to handle missing request parameters in a struts2 action :
Let's say you have an action to view a user profile.
The action will show the profile of a given user according to the userId parameter.
How do you handle the fact that this parameter may be missing (if user load directly the action from the url bar or if he plays with tamper data addon ...) ?
I see several options but I wonder if there are other options and which one is the best :
In each action, on prepare(), check if the expected parameters are given, if not redirect
In each action, on the method that process the request, check that parameters, if not then redirect
I also thought I could use validators to make sure parameters are there but it only works for a form, doesnt it ?
If you have any idea or any point of view on this question, I would love to hear it
Thanks
Validation operates on request parameters--it doesn't matter if it's via a form or request parameters.
As long as an action has appropriate setters, which it would in this case, the default validation works fine. Determining if the user has the rights to access the profile in question may also be handled using a custom validator, probably one that uses existing business logic to determine access rights.
All of that, however, may be wrapped up using Spring Security, and eliminate the need for writing your own interceptor and/or validator. Which solution is the most appropriate depends on your actual needs.
I need to know how to use each and every attribute of Struts2 tags. I
have gone through all possible websites by searching via Google, But
no one has understandable explanation or examples of each and every
attributes of each struts2 tags.
for example: In "optiontransferselect" tag, for
allowAddAllToRight attribute I have no idea what String do I need to give for it.
here is one of the site I refered...
If you want to understand every single option, do two things:
Use every single option.
Read the source code.
When something is listed as "enable", it's almost always a true/false value, as it is in this case. Why it's listed as a string, not sure; either an issue with the annotation processor, or it was added and the type conversion was done manually, or...?
While I (sort of) understand the motivation for wanting to understand "each and every attribute" of each tag, IMO your time would be better spent learning more important framework details.
I am afraid you will find them at anywhere as these attributes have been defined and provided based on generic needs and its quit possible that some one need few of them and some need others.
i even never used all of the tag properties and in most of the cases we end up using few as per our choice.
If you want to find what each and every property/ attribute making end effect best way is to create a demo struts2 application pick up few tags go to struts2 tag reference page read there description and start playing with them and see how things are changing and check generated HTML code.
There is no other shot-cut for this.
But why you need to know all the properties? i am just curious
Struts2 tag refrence
Within a C# / ASP.NET MVC web app, I would like to display HTML emails received from untrusted sources. Does anyone know if there are known best practices (or even tools) to do in a "safe" way. As far I understand, most webmails perform extensive preprocessing (disabling image links, removing scripts etc).
Is there anything simple to be done better than just displaying the email as text only?
Joannes,
The easiest thing to do would be to use the Web Protection Library's whitelisting service to filter out potentially malicious HTML: http://wpl.codeplex.com/
As for implementing more sophisticated client behavior, such as blocking images from unknown sources unless the user authorizes it, you might want to try implementing something along these lines:
Don't pass full <img src="{URI}" /> tags back to the client - instead push an image with a unique ID attribute and have it src to a default "cannot display image" icon instead.
Add a button or some other UI control where a user can give their explicit consent to display images for this method.
Build an action method on your email viewing controller which returns a JsonResult with a dictionary that contains the ID of the image along with its src value.
Write a JavaScript method that will call the action method and swap the appropriate src values back into place upon recieving the JsonResult from your action method.
Hope this helps!