Problems with improper access to urls in the application with Spring Security

Navigation
2

I have a page that uses thymeleaf to update a user's profile and on this page there are two buttons that allow you to update the profile and the other button allows you to remove profile from the application.

Once the user is authenticated he has access to his profile, and if he is not authenticated this access is denied.

For example, suppose the user has id = 51, has been authenticated and is now on his profile page.

Access to this page is: 

http://localhost:8084/minhaapp/usuario/perfil/51

The problem is that any authenticated user can inappropriately access the profile of others. So if the user authenticated in the id 51 application, change the url to 

http://localhost:8084/minhaapp/usuario/perfil/56

He will be able to change someone else's profile!

What should I do?

    
asked by anonymous 02.10.2017 / 16:28

1 answer

0

You can create a configuration that will control the sessions per user, avoiding this 'session affinity' that your app is creating.

For example, define a class that limits to one session per person. 

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    FindByIndexNameSessionRepository<ExpiringSession> sessionRepository;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
            http
                    // other config goes here...
                    .sessionManagement()
                            .maximumSessions(1)
                            .sessionRegistry(sessionRegistry());
    }

    @Bean
    SpringSessionBackedSessionRegistry sessionRegistry() {
            return new SpringSessionBackedSessionRegistry(this.sessionRepository);
    }
}

link

    
17.10.2017 / 21:49
How to use ng-repeat inside the ui-carousel library? Conditions on dates in MYSQL know the last record and penultimate