Reputation: 3175
Java realm and secured request
I'm developing a game with separated and isolated universes (like ogame for those who know this game). One player (account) is associated with one universe but one player (physical) can create one account per universe.
So a player can login to multiple universes and switch universe when he is playing.
To do this, I have created Authentication class which stored id of logged player and universe name (which is the schema name in my PostgreSQL database).
So, an Authentication object represents a logged player. To manage application roles, I use a custom realm which gather only id and universe name (from my Authentication object) to process SQL request and get group name to convert it to roles.
All these mecanisms work fine.
I'm wondering if it really secured to do that ? Can a attacker send request to my realm and inject in his request id and universe name to process authentication directly ? Because my realm doen't need neither password nor username (processed before in my application to create Authentication object), such malicious request will probably work.
So my question is only to know if request to my realm can be made outside my Java application (or my Glassfish server) ?
Upvotes: 2
Views: 126
Answers (1)
Reputation: 11953
Assuming that the request happens outside of the application, and originates from the client, then if you don't verify username/password, chances are that someone could make a request outside of your application and violate your security. You should require the submittal of the username/password at the time of submittal of realm/universe and verify at that time that the user is authorized for the request they are making. Don't just make sure that the username/password is valid, but verify that they are registered for the universe they are logging into and the realms/roles they are trying to access. If you don't require this, you open yourself up for attacks.
Firefox and Firebug is nice, but it doesn't show you the raw requests. To really see the requests and what is going on, you should use a packet sniffer like Wireshark. If you can see the request there, then you are vulnerable. Also make sure that the username/password is encrypted and is not viewable in plain text, otherwise attackers could extract user's credentials by sniffing the wire.
If all the processing happens server side and there is no client request originating (and you see nothing in Wireshark on the client side), then you are probably safe.
Upvotes: 1
Related Questions
- What is the exact uses of REALM term in security?
- How to set OAuth realm in RestAssured
- Correctly handling Realm intances on Android
- What's the meaning of Realm in spring security
- Deeper understanding about how Realm works?
- Android Realm database Security
- Tomcat Realm Authentication - After login
- Java EE JDBC Realm
- Java Web Application: Using a custom realm
- Java, Realm, Tomcat, login.