Problems with improper access to urls in the application with Spring Security

Question

Problems with improper access to urls in the application with Spring Security

Asked 7 years, 1 month ago

Viewed 137 times

2

I have a page, which uses Thymeleaf to update a user’s profile and on this page there are two buttons that allow you to update the profile and the other button allows you to remove the profile of the application.

Once the user is authenticated he has access to your profile, and if he is not authenticated this access is denied.

For example, suppose the user has id = 51 , has been authenticated and is now on your profile page.

Access to this page is:

http://localhost:8084/minhaapp/usuario/perfil/51

The problem is that any authenticated user can improperly access the profile of others. So if the user authenticated in the id 51 application, change the url to

http://localhost:8084/minhaapp/usuario/perfil/56

He’ll be able to change someone else’s profile!

What should I do?

What version of spring you are using?

– Renato Vieira Dantas

2017/10/07 at 01:01
@Renatovieradantas Thanks man , sorry for the delay! <version>4.3.4.RELEASE</version>

– Pena Pintada

2017/10/16 at 23:36

1 answer

Browser other questions tagged java spring spring-security access-control

You are not signed in. Login or sign up in order to post.

by Fernando Almeida • **315** points · Answer 1 · 2017-10-17T19:49:46+00:00

You can create a configuration that will control sessions per user, avoiding the 'session affinity' that your app is creating.

For example, define a class that limits one session per person.

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    FindByIndexNameSessionRepository<ExpiringSession> sessionRepository;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
            http
                    // other config goes here...
                    .sessionManagement()
                            .maximumSessions(1)
                            .sessionRegistry(sessionRegistry());
    }

    @Bean
    SpringSessionBackedSessionRegistry sessionRegistry() {
            return new SpringSessionBackedSessionRegistry(this.sessionRepository);
    }
}

https://docs.spring.io/spring-session/docs/current/reference/html5/