Breeze: how to make the original values map more secure -

-

i use originalvaluesmap custom auditing on save. in breeze docs, mention may need add additional security (it's coming client, don't trust it).

my goal find way validate original values map not tampered with, audit entries accurate. (an example of exploit want defeat of altering value in original values map make if had not changed value).

i thinking doing this:

  1. when data queried server, apply hash values of entity
  2. include hash in serialization graph of entity (so hash opaque value sent client, salt hash secret known server).
  3. when client calls save changes, echo hash server
  4. inside of beforesaveentities, reconstruct original entity using values originalvaluesmap.
  5. a hash of "de-deltaed" entity should match original.

my problem is, don't know how insert hash breeze's serialization graph , extract out.

it looks there several promising extension points (custom serializer on client, custom content provider).

how 1 this? there better way? nuts?

you nuts.

but seriously, straightforward way re-query existing data database see originalvaluesmap matches in db. if don't, either originalvaluesmap has been tampered with, or db record has been updated (by else) since queried. save should aborted in either case.

while @ it, you'll want enforce other rules on server:

  • some entities illegal save (e.g. users not allowed add new countries lookup table)
  • some entities can saved users in role (e.g. administrators)
  • some entities can saved users 'own' them (e.g. user can update order belongs them)
  • the values sanity-checked (e.g. prices positive, quantities reasonable)
  • the operation sanity-checked (e.g no user can create more 1000 orders in 1 hour)
  • other business rules applied (e.g. credit limits, time-of-day restrictions, etc.)

obviously of these won't apply app, may find there rules require querying database anyway. that's how should verify originalvaluesmap.

if intent on using "hash" technique, easiest way data , forth client add property in domain model base class isn't mapped database. you'll populate property on server before serialization.


Comments

Post a Comment

Popular posts from this blog

python - Subclassed QStyledItemDelegate ignores Stylesheet -

-
i'm trying subclass qstyleditemdelegate remove focus rectangle in qcombobox . even though i'm calling base implementation of paint function , nothing else, result different. looks if parts of style-sheet influence bounding box of item taken consideration. class pstyleditemdelegate(qstyleditemdelegate): def __init__(self, *args, **kwds): super(pstyleditemdelegate, self).__init__(*args, **kwds) def paint(self, *args, **kwargs): qstyleditemdelegate.paint(*args, **kwargs) what have paint unmodified qstyleditemdelegate ? as suggested tried replacing pyside pyqt4 , works, appears bug. update pyside 1.1.2 1.2.1 result same. unfortunately switch breaks other parts of code, if there no other suggestions i'm going accept answer. edit bug tracked here
Read more

java - HttpClient 3.1 Connection pooling vs HttpClient 4.3.2 -

-
i have used httpclient3.1(java) connection pooling below : import org.apache.commons.httpclient.httpclient; import org.apache.commons.httpclient.multithreadedhttpconnectionmanager; import org.apache.commons.httpclient.params.httpclientparams; import org.apache.commons.httpclient.params.httpmethodparams; import org.apache.log4j.logger; public class httpclientmanager { private static logger logger = logger.getlogger(httpclientmanager.class); private static multithreadedhttpconnectionmanager connectionmanager = new multithreadedhttpconnectionmanager(); private static httpclientparams clientparams = new httpclientparams(); static { try { clientparams.makelenient(); clientparams.setauthenticationpreemptive(false); clientparams.setparameter(httpmethodparams.so_timeout, new integer(30000)); // set so_timeout clientparams.setparameter(httpmethodparams.head_body_check_timeout, new integer(3000)); // head responses
Read more

SQL: Divide the sum of values in one table with the count of rows in another -

-
is possible to, in single query, sum bunch of values in 1 table, , divide count of rows in another? there common id/key in both tables... fyi, win points least info provided in question. answer it's possible...here psuedo code since i'm guessing @ tables , columns select summing / counting whynot (select id, sum(whatever) summing where_ever ) inner join (select id, count(1) counting what_ever)b on a.id = b.id question = 'vague' group a.id
Read more