Announcement Announcement Module
No announcement yet.
User/Data Security Validation Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • User/Data Security Validation

    On a current project, I am tasked with trying to secure the access to particular data records. The approach I have still strikes me as wrong, so I want to ask others if you have a better approach to suggest.

    First, lets me explain that the records in this system are stored with a reference to what we call a FacilityId. This FacilityId is part of a data logical grouping of CustomerId => RegionId => FacilityId. In most of our web forms, the user is able to select either All, a specific customer, region, or facility to narrow their query to whatever global or granular view they desire for their results. We simply map all records to the lowest level and as a part of the business logic, if they select a higher level, we construct what the lower facilityIds would be based on their selection and use this list in our queries.

    Secondly, the user security is designed where we have mapped each URL Struts2 action to a Function domain object based on a regex matching process. These function objects are then associated to a set of Role objects. Multiple roles can be associated to the same Function. The user domain object is then associated to a set of Role objects to define what roles and therefore what URL/Functions they can execute in the web application.

    The data in the system which the user can view must be restricted. Users cannot simply just see ALL data unless they're specific users. And so a relationship is built between the User->Role->FacilityId. This is called the UserRoleFacility.

    UserA -> RoleA -> FacilityA
    UserA -> RoleA -> FacilityB
    UserA -> RoleB -> FacilityC
    UserA -> RoleB -> FacilityB

    Assuming that a URL/Function only exists in RoleA and the user is executing that URL, they URL should be restricted to data associated to both FacilityA and FacilityB; however data for FacilityC would never be queried.

    If the user was executing a URL/Function that exists in both RoleB and RoleC, then data would be queried for ALL facilities, simply because we do a composite association. Had the URL been only part of RoleB, the query would only be allowed to return records from within FacilityB and FacilityC.

    In my service I have done the following:
    public IListPage getMaterialSearchResults(MaterialSearchCriteria criteria) {
      // Get the list of facilityIds based on the selection from the web form
      // and limit the results to only values permissible to the composite 
      // list of user roles.
      List<Long> facilityIds = facilityService.getIdsFromSiteUserRole(criteria.getSite(), criteria.getUserRoles());
      // set the ids in the search criteria object which is handed off to the
      // DAO layer for query processing.
      // get database results
      IDaoList<Material> results =;
      // prepare view handler and return
      return(new ListPage(results, criteria.getPageNumber(), criteria.getPageSize());
    The method above queries the Facility Service to get the list of IDs that are based on the restrictive logic written above the code. Those IDs will be passed to the DAO layer in the Material DAO in order to restrict what records the other criteria values will be limited within.

    If I try to push this "limit" process to the DAO layer, I am now placing business logic in the DAO layer. Right now the DAO layer simply should examine the criteria object properties, construct a query based on the values provided and then return the results based on query.

    Do others see a better less bloated way to do this? I need to implement this validation check on ALL service calls to secure the data to avoid a user from passing an invalid value on the GET/POST requests and being able to view data for a facility which they're not allowed to do so for their user/role(s) associated to the action being invoked.

    Last edited by crancran; Dec 17th, 2010, 08:58 AM.

  • #2

    Not knowing the structure of your application, this seems like a prime candidate for using a filter to preprocess the request data. Use the filter to retrieve or compute the user's access limits, and drop it into the session or request object for the business logic to retrieve and inject into the dao.

    Hope that helps.


    • #3
      User/Data Security Validation

      I have looked at an old o2 sim that I used in my iPhone which had a years internet and wi-fi included and apparently it is a web and text sim. As it has run out I have offered this to my friend and as he is a high data user I will monitor his experience with it.