Announcement Announcement Module
No announcement yet.
JavaScripts and Spring: Security Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • JavaScripts and Spring: Security


    Ive got one question. I use Spring (MVC), Spring Security, Ajax...
    Ive got a JSP which displays data of a user (which is stored in a database). The user himself can choose who shall be allowed to watch his data (anonymous, users, friends).
    Depending on who calls the page and how the rights are set the data is displayed then.

    So I have a java class where I determine the permission:
    - checking which rights the user set (whos allowed to watch which data)
    - checking who is calling (anonymous, user, friend)

    In the end I know then which data parts I can display.
    I use MVC, so I use a Model and set some values according to the conclusion of checking the permission. For example I set ("everything", "ok") when everything can be displayed.

    On my jsp I check then if the modelvalue for "everything" is empty or not and so on.

    Depending then on the model values, I use different external javascript-files. For example, if "everything" is not empty, I use "showAllData.js". If "onlyData1" is not empty, I use "showOnlyData1.js".
    Those JavaScriptFiles then use Ajax and request the data which is stored in the database. (The user can click on various points on the page and different data is displayed then, thats why I cant show all data which is allowed to show to him while loading the jsp)

    It looks like this at the jsp:

    <script type="text/javascript" src="<spring:url value="/static/javascript/jquery-1.4.4.min.js"/>"></script>
    <script type="text/javascript" src="<spring:url value="/static/javascript/jquery-ui-1.8.7.custom.min.js"/>"></script>
    <script type="text/javascript" src="<spring:url value="/static/javascript/ajax.js"/>"></script>
    <c:if test="${!empty model.everything}"> <!-- everything is allowed -->
        <script type="text/javascript" src="<spring:url value="/static/javascript/showAll.js"/>"></script>
    <c:if test="${!empty model.data1}"> <!-- only watching data1 is allowed -->
        <script type="text/javascript" src="<spring:url value="/static/javascript/showData1.js"/>"></script>
    <c:if test="${!empty model.data2}"> <!-- only watching data2 is allowed -->
        <script type="text/javascript" src="<spring:url value="/static/javascript/showData2.js"/>"></script>

    So my question is: is that a secure approach? Is it possible that the requesting person calls the other javascript files and views data he is not allowed to? what would be a safer approach?

    I was thinking of the following:
    - checking the rights in the javaclass on the server, like before
    - returning then different jsps with different js-files, but only one js-file per page. (The Js-file which displays the data the user is allowed to view)

    what do you think about that?

    Thanks for answering me! :-)

  • #2
    ok. Ive researched and I found out the following:
    (SORRY, Im new!!)

    Everybody can send requests to the server. So anybody can send requests to the server which he should not send and so get informations which he should not get.

    I guess the only possibility is to check when an ajaxrequest comes in if the person has the permission to send this request or not!!!

    but if I check this every time, this will slow down the server so much, because I need informations from the database to see if the person requesting is allowed to watch the informations he requested! this will mean endless database queries!!!

    is there any possibility to check it ONCE and then for example to store it in the session or security context or something else for the requesting person????

    please, I would be so grateful for help! :-(


    • #3
      You are correct that you need to perform security checks every time you request a URL. To improve performance, you can always cache the result of the security check. The caching implementation really depends on your specific use cases. One way of caching would be to use EhCache which Spring Security provides out of the box hooks for in a number of locations in its architecture.


      • #4
        Thanks for your answer! I will research for EhCache.

        One more questions before I start:

        Lets assume I would cache the result of the security check.
        So when User B request the page from User A, I would cache the result and save it. (for example: B can watch data1 and data2 from A)
        User B can look at User As page and he will always only see the data he should see, no matter where he clicks on the page.

        But then: User B asks for Users Cs page. In the cache: Still the permission for the Dataparts (data1, data2). urgh....

        ok, maybe I should research first, but it seems to me like I have to act very careful with this cache!

        thanks! :-)

        I misunderstood it. Its a cache that caches database queries? So that would make my security checks maybe quicker. But what I read is that I have to be careful not to work with old cached data - since Im a beginner this sounds complicated to me, but I will research a little bit more. Isn't there another solution?
        Last edited by jeeper; Jan 19th, 2011, 10:29 AM.


        • #5
          That's true. It's not a trivial task. You'll need to balance performance vs stale data.


          • #6
            thank you for answering me! Do you have some tips what I could maybe read to understand it better? maybe a book or a great tutorial? its really overwhelming and I dont want to make the wrong decisions, that would be fatal

            thank you!