Imagine we have a class User:
class User {
String id;
String name;
String email;
String password;
}
For a user with admin role, there is no problem to show all properties.
But for a user without admin role, is better to not show some of the properties.
With the annotation #ApiResourceProperty is possible to control the visibility of these properties.
But I'm asking about a good approach to selectively expose (or not) a property, based for example on the role of the user doing the request.
I can use different endpoints for each of the user roles, but I'm wondering if there is a better approach.
Related
The msdn documentation on PasswordBox.Password says:
When you get the Password property value, you expose the password as plain text in memory. To avoid this potential security risk, use the SecurePassword property to get the password as a SecureString.
So I send SecurePassword to my view model on PasswordChanged event, expecting everything to be secure, but if I inspect my application with Snoop, in PasswordBox's Password property I see the password I entered in plain text. Does that not kill the whole purpose of using SecurePassword? Is there anything else I should do here to protect the passwords?
This is my humble opinion.
Snoop injects its code in running application. So, it's basically a hacking tool. A very easy-to-use hacking tool, which works only with your GUI.
This is why simply changing visibility of any item to hide some data from user is a poor secutity desicion. Everything about restrictions, access and security shouldn't be handled at UI layer. There are ways on How to Snoop proof your wpf application? but main point of answers there is that you have to design your application in the way, which doesn't allow snoop to violate anything. Validate everything on the server, for example.
Back to your question:
There are two scenarios. First one is: user creates a password. I believe this is not a concern, if a user or user's malware will see the password at this moment. Then you receive and store secured string. And clear user's password.
Second scenario: you display a stored password to user. The trick is - you don't display it. You know a length of a password, so you can display just disabled textbox with ****. And if a user wants to change a password - you give him actual passwordboxes, which he has to fill with old password and new one and we are back to scenario #1.
The silver lining is:
When a user inputs a password it's not a big deal, that it is lying in clear text somewhere in a memory, since a user knows what he've typed and malware can track keys pressed.
After you've stored the password you never ever give it back to user
Update: This is a source code for Password property of a Password box
public string Password
{
[SecurityCritical]
get
{
string password;
using (SecureString securePassword = this.SecurePassword)
{
IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(securePassword);
try
{
unsafe
{
password = new string((char*)ptr);
}
}
finally
{
System.Runtime.InteropServices.Marshal.ZeroFreeBSTR(ptr);
}
}
return password;
}
So, I guess what MSDN is saying, is that whenever you access Password property, by calling it in code (or viewing it in VS while debugging, or viewing it it Snoop) you call it's get method, which decrypts SecuredString to plain text, what exposes it to memory. If you don't call Password property and don't call it by inspecting in software tools, then password doesn't show up in memory in plain text.
This question is related to Spring Data MongoDB model classes without annotations.
I have a situation where I need to store my domain classes either in RDBMS store or NoSQL store. Say for example my domain classes are User, Feature, PaymentRequest, Order, OrderLine, OrderHeader etc.
I cannot use any annotation on my domain classes for various reasons.
Application team will specify in which persistent store they like to store. They might configure to store it in MongoDB or in MySQL or in Oracle etc.
My requirement is when I am storing in MongoDB say using spring-data-mongodb I want to leverage the DBRefs for associated objects in my domain object.
How can I achieve with spring-data-mongodb without using annotations in my model classes.
class Role
{
String id;
String roleName;
}
class User {
String id;
String firstName;
String lastName;
List<Role> userRoles;
}
When I save User object I want to ensure that in MongoDB Role objects are stored as DBRefs instead of actual Role object graph.
My question is ─ without using annotations in my User and Role classes ─ how can I achieve this?
I searched the user's forums and could not find a way. That's why I'm posting my question here.
Thanks,
Kishore Veleti A.V.K.
Not sure if you ever figured this out, but you can use AspectJ to create an ITD (inter-type declaration) to weave in the annotations into the class without having to actually modify the original code.
For example, to turn your userRoles into a DBRef, you just need this aspect:
import org.springframework.data.mongodb.core.mapping.DBRef;
privileged aspect User_Mongo {
declare #field: * User.userRoles : #DBRef;
}
This simply adds the #DBRef annotation to any fields within User named userRoles. You can look at the AspectJ documentation for more information on field patterns and ITDs.
My project has two entities User and Item in one to many relationship. The paent User entity is mapped by field "owner" in Item entity which is annotated with Fetchtype.LazyLoad.
Item entity:
Item{
//other fields..
#Manytoone(#FetchType=LazyLoad)
User owner;
//getters and setters...
}
Now I am querying to get items whose parent user entity has gender set to Female like below:
String queryString="Select i from Item AS i where i.owner.gender='Female'"
Query q=QueryFactory.createQuery(queryString);
List<Item> result=q.getResultList();
My question is whether such kind of query is possible?If so, is the annotation LAZYLOAD will have any affect in getting results, since in my understanding,owner field will not be loaded implicitly when loading the Item entities.
GAE does not allow joins, as said in your comments. If you try that you should get an error.
The log should be enabled using standard log4j (internet search its docs) or java.util.logging. They allow a config file in the root of the CLASSPATH to configure how much gets logged. Things can be logged to the console or to a file depending on the config
I've been attempting to pass a bool value across multiple pages. I've built a program that has a login page and four different pages upon successful login. I have an admin and an employee. My problem is that the admin and employee have to have different views -- that is, when the admin is logged in, certain buttons throughout the various pages are visible to him, whereas when the employee is logged in, they are not.
Thus, the problem: How to pass a bool across multiple pages? The bool sets itself upon a login. I was originally passing around the bool through each page, but stack overflow occurs.
My other ideas were to bind the visibility of the buttons to the outcome of the bool, but I've yet to be successful.
Other idea was to make a class for the bool and reference the getters/setters there each time a page opens.
Any ideas?
I guess you want to share a plain normal session in your application.
Just create a model for it
public class SessionModel
{
public bool IsAdmin { get; private set; }
public SessionModel(bool isAdmin)
{
IsAdmin = isAdmin;
}
}
and make this accessible to your Views via MVVM, then in your view check the values of your ViewModel.
Your user class (model) should have the permission info which you should convert to bool/visibility/xyz things to render UI.
I have a simple Post model in my django app:
class Post(models.Model):
category = models.CharField(max_length=10, choices=choices)
message = models.CharField(max_length=500)
user = models.ForeignKey(User, editable=False)
I'd like to implement the feature of having anonymous users create posts with nick names. Unfortunately django doesn't allow you to save an instance of AnonymousUser as a foreignkey to the Post class.
I was thinking of adding a "dummy" user record into the db that represents the anonymous user(id=0, or some negative number if possible) that would be used for all posts without a user. And if it is present a nullable name field would be used to represent the nickname of the anonymous user.
This solution seems a bit hacky to me. Is there any cleaner more effecient solution?
If you can identify new users by some session information, you could just create normal user accounts, pro forma so to speak - with a flag to identify them as volatile (this may lead to some regular maintenance cleanup).
If, during session lifetime, the user actually want to register, you can reuse the user account on your side and the user can keep all his data on his.
As #slacy commented and #Dominique answered; instead of rolling your own take a look at existing projects, e.g. this:
http://www.stereoplex.com/blog/introducing-django-lazysignup
Not tested , but this can help:
https://github.com/danfairs/django-lazysignup
You can add blank=True and null=True to User ForeignKey and set it to None, if user is anonymous. You just need to store the nickname somewhere.
I am new to Django. A friend told me not to use ForeignKey further stating that using CharField is ok. ForeignKey is slower than CharField, as it has some check for user info.