Thoughts on Web Application Security (III)

ApplicationProgramSecurity Control includes the timing and method of control, that is, where or when to control and the basis for permission control.

In the previous articlesWebWhen the application performs security controlRequestBefore reaching the real application, we will summarize its features ﹕

1.In this way, there will be no uncontrolled dead ends.(Each request is performed, and each action is verified.)And abstractWebApplication nature(All the server-side programs are on the clientRequestAfter)In this way, it can be decoupled from the business system and designed separately.

2.Permission control should be performed before each execution, because the user cannot access the real business program without authorization.

 

Of course, the timing for security control is also included during program execution.UIStage, business logic calling stage, database operation stage, and so on, they are essentially the same(Of course, the database operation phase remains to be discussed, because not all system actions are mapped to the database.)But inWebIn applications, they all have some disadvantages compared to the method I mentioned. For example, they are not easy to abstract and may have a dead corner of control and a high degree of system coupling.

 

However, these three solutions have their own background ﹕

1.Database: Applicable to multiple systems(Systems developed in different languages)In the scenario of accessing the same database, permission control is implemented at the database layer to manage data access permissions in a unified manner.

2.Logic layer: Suitable for existingWebAsUIAndSmart Client﹐Winform﹐ConsoleEven through. Net remotingThe system of the caller.

3.UILayer: AsUILayer, I think it is only suitable for situations where the system is small or the permissions are relatively simple.

 

After talking about the timing of permission control, we will discuss the security control methods.

 

The security control method is actually permission control.

 

Permission control is to determine whether the current user has the permission for the current operation object. That is, to determine what object the current operation is, who the current user is, and whether the current user has the corresponding object.

 

Permission Control ProgramCodeIt looks like this ﹕

 

 

1 : Current user = Getcurrentuser ()

2: Current object=Getcurrentright ()

3: Bool right_flag=Hasright (current user, current object)

If (!Right_flag)

{

4: No permission

Return

}

Program continues

 

The most difficult part here is the current object.(That is, what is used as the object of permission judgment)The classification standards are now available. I have read the following ﹕

1.Add, delete, modify, and query a specific data table in the database as the control object

2.The logic class method is used as the control object

 

I have no intention to discuss the advantages and disadvantages of the above two standards, but only put forward my point of view ﹕

 

In my opinion, for any system, its permissions are essentially system functions implemented according to user requirements.

 

For example, an order management system may implement the following functions: order placement, review, warehouse picking, order printing, and warehouse picking.

 

Therefore, when determining the current object, you only need to determine which system function of the current action is an attribute.

 

For example, click"Submit order"Button, it belongs"Place order"Function

User Access"Order Review"Page, which belongs"Review"Function

Click"Review button"Which also belongs"Review"Function

User Access"Print"Program, accordingType =Order, I can determine this is the property order printing function, accordingType =I can determine that this is the export order printing function.

 

By the way, I would like to mention this situation ﹕

James can only reviewADepartment orders

Li Si can reviewADepartment ﹐BDepartment orders

Wang can review orders of all departments

 

In fact, we abstract this requirement"Data permission".HardcodeMethod: In the current program, when the current program accesses the order data to be reviewed, it is obtained by passing in the data of its permission department in the code, because the user raised this requirement-The review function is actually used to review the order function of the Department under the authority. Therefore, you must distinguish between the real business needs and non-business needs of users.

For another example, if the user tells us that only the department supervisor and above can review the order, then we think it is not a business requirement. We do not consider this when designing and developing the business system. one point, while at run time, he can help or tell him how to assign the permission of the department supervisor and above to review the order.

 Another point is that in our permission design, we have only one object, namely, the system function, without judging the operations of the object, such ﹕

Zhang San OrderDelete

Li Si OrderReview

in this case, we abstract it into two system functions: deleting orders and reviewing orders 2