Problems with improper access to urls in the application with Spring Security

Asked

Viewed 137 times

2

I have a page, which uses Thymeleaf to update a user’s profile and on this page there are two buttons that allow you to update the profile and the other button allows you to remove the profile of the application.

Once the user is authenticated he has access to your profile, and if he is not authenticated this access is denied.

For example, suppose the user has id = 51 , has been authenticated and is now on your profile page.

Access to this page is:

http://localhost:8084/minhaapp/usuario/perfil/51

The problem is that any authenticated user can improperly access the profile of others. So if the user authenticated in the id 51 application, change the url to

http://localhost:8084/minhaapp/usuario/perfil/56

He’ll be able to change someone else’s profile!

What should I do?

  • What version of spring you are using?

  • @Renatovieradantas Thanks man , sorry for the delay! <version>4.3.4.RELEASE</version>

1 answer

0

You can create a configuration that will control sessions per user, avoiding the 'session affinity' that your app is creating.

For example, define a class that limits one session per person.

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    FindByIndexNameSessionRepository<ExpiringSession> sessionRepository;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
            http
                    // other config goes here...
                    .sessionManagement()
                            .maximumSessions(1)
                            .sessionRegistry(sessionRegistry());
    }

    @Bean
    SpringSessionBackedSessionRegistry sessionRegistry() {
            return new SpringSessionBackedSessionRegistry(this.sessionRepository);
    }
}

https://docs.spring.io/spring-session/docs/current/reference/html5/

Browser other questions tagged

You are not signed in. Login or sign up in order to post.