[Webwork-devel] Security in webwork

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Rickard:

By default Webwork exposes actions found on webwork.packages prefixes or 
through aliases. This is very convenient most times, but I have noticed that 
there are cases when it would be best to restrict the ServletDispatcher to 
just using aliases.

The reason for this is that you could have 1,000,000 different 
"utility/helper" actions that you don't want to ever be accessed directly 
through the web.

It is a good practice to modularize a system into many bits and pieces 
(different small actions to achieve a large tasks, since you could share 
those small actions in many different places). But this scheme falls into 
pieces with some sort of security...

In order not to affect anything else, the best place to address this is in 
ServletDispatcher, as it would not then disrupt anything else and we keep 
ActionFactory preety generic.

IMHO, this segment in ServletDispatcher,

      try
      {
         action = ActionFactory.getAction(actionName);
      }

should be refactored into

      try
      {
         action = getActionImplementation(actionName);
      }

and add a protected method "getActionImplementation(actionName)" which 
subclasses could override.

A way to moderately secure this is to do an

if(actionName.indexOf('.') >=0) throw SomeException();

right before the ActionFactory.getAction(actionName)..

This would allow you to put your secure actions in non-root packages 
relative to the prefixes with no problem and we haven't modified much! :)

Cheers,

/V

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp