Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Implementing LCDS Security with MDD

Avatar

Level 1

I am trying to understand security with MDD.

In my scenario, a user submits a document. I want to ensure that when the document is updated, the person who updated the document is the one who is updating the document.

My concern: If the submittedByUserID is returned to the client, a malicious authenticated user can falsify the headers to change the submittedByUserID.

My initial thoughts: I need to have a userServiceImpl that has a loginUser() method. The loginUser() method sets the user's ID in the session and I need to populate the submittedByUserID with this session information using the update-security-constraint.

  1. Am I correct in the approach above? Is there a better way? Am I totally off-base?
  2. If I am correct, how would I go about implementing this approach?

Data Structure:

<model>

    <entity name="User" persistent="true">

        <id name="userID" type="integer" generated="true"/>

        <property name="username" type="string"/>

        <property name="password" type="string"/>

        <property name="documents" type="Document[]"/>

    </entity>

   

    <entity name="Document" persistent="true">

         <id name="documentID" type="integer" generated="true"/>

        <property name="body" type="blob"/>

         <property name="submittedByUserID" type="integer"/>

    </entity>

</model>

0 Replies