Menu
▾
▴
#26 DrugService does not do any proper authentication checks
DrugService methods use an arbitrary role argument to check for permissions. This is supplied from outside and therefore does not provide any security. Instead, these methods should accept a session key and check if the user associated with this key is allowed to perform the requested action.
its not realy arbitary, you would need to use Role.ADMIN to get a valid object, so nobody would will create a security risk by accident. (for the programmer it will alwys be possible to create security risk, but i shouldn't be by accident)
the current session key implementation will collapse if by some reason tomcat or spring spawns a second version of drugservice, im not sure but i think tomcat has some load management so a second spring on a another classloader (even static won't be safe) isnt to unlikly. (best thing i can think of will be storing the session key in the database)
if these problems are solved i think your proposal is better than the current implementation.
(one think im not to sure i about, is how to get a session key in the imex .. as i think it will be best if the imex will use the drugservice)
I think I didn't make my point clear enough. role is supplied from outside and the service has no means to check if the user really is authenticated and has the role he pretends to have. Currently the service relies on the controller to supply a valid role. In this way it is arbitrary as it is not bound to any authentication token."Speak the word friend and enter".
The session key implementation may be broken and needs to be fixed. This is another bug.