0 Replies Latest reply on Feb 8, 2010 8:50 AM by David Buhler

    Implementing LCDS Security with MDD

    David Buhler

      I am trying to understand security with MDD.

       

      In my scenario, a user submits a document. I want to ensure that when the document is updated, the person who updated the document is the one who is updating the document.

       

      My concern: If the submittedByUserID is returned to the client, a malicious authenticated user can falsify the headers to change the submittedByUserID.

       

      My initial thoughts: I need to have a userServiceImpl that has a loginUser() method. The loginUser() method sets the user's ID in the session and I need to populate the submittedByUserID with this session information using the update-security-constraint.

       

      1. Am I correct in the approach above? Is there a better way? Am I totally off-base?
      2. If I am correct, how would I go about implementing this approach?

       

      Data Structure:

       

      <model>

          <entity name="User" persistent="true">

              <id name="userID" type="integer" generated="true"/>

              <property name="username" type="string"/>

              <property name="password" type="string"/>

              <property name="documents" type="Document[]"/>

          </entity>

         

          <entity name="Document" persistent="true">

               <id name="documentID" type="integer" generated="true"/>

              <property name="body" type="blob"/>

               <property name="submittedByUserID" type="integer"/>

          </entity>

      </model>