• Type: Improvement Improvement
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.4.2
    • Security Level: Public (Public: Anyone can view)
    • Labels:
    • Similar issues:
      KULRICE-5830Improve the AttachmentServlet security
      KULRICE-12721Improvements to property binding security
      KULRICE-144Improve KSB security using Acegi
      KULRICE-1790Improve KEW's internal access control and authorization
      KULRICE-4534Improvements to configurability of sensitive data checks in the KNS
      KULRICE-12169Generate Release Notes for security patches
      KULRICE-13594Manual testing for struts security patch
      KULRICE-7539Security fixes to prevent phishing attacks
      KULRICE-13352Write Unit Tests for new Spring Security KSB security integration
      KULRICE-12172Manually test security patch builds
    • Rice Module:
    • Sprint:
      2.5.0-m3 Sprint 1, 2.5.0-m3 Sprint 2
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Pending Review
    • Code Review Status:
      Not Required
    • Include in Release Notes?:


      The first pain point is having to add @MethodAccessible to all controller methods that can be invoked via get requests. The reason for this is we only have information about valid methods on a post, and therefore need to be told a method was ok on a get. However, this is redundant. In order for a controller method to be accessible, Spring requires you to add the RequestMapping annotation, which can then be restricted to get methods. So I am purposing we don’t check get requests at all (just posts), and rely on the Spring RequestMapping to provide the same level of security. Keep in mind once we have the ‘Use Screen’ permission these get methods can be restricted to a role, and if the method is requesting a view, document, or other asset the usual KIM permissions apply.
      The second paint point is again on get requests, but with binding of parameters to the form. Again, we only have information about valid binding properties on a post, so we require a property be marked as accessible if it will be populated on a get. Currently you add a RequestAccessible annotation, which can then be restricted to just get methods. But this opens up the binding for all get requests. There is more discussion on this problem from the KS devs here:
      One thing we can do is allow the RequestAccessible to be associated with a mapping. If everyone is following the methodToCall convention, we can simply add methodToCall as a param on the annotation:

      @RequestAccessible(methods=HttpMethod.GET, methodToCall=”show”)
      private String termCode;

      This would only bind the property if the request was a get, and the methodToCall parameter was “show”. If needed, we can add other mapping parameters that Spring supports.

      Also, look into not requiring @MethodAccessible for custom post methods. This could be done by keeping track of what methods are available from the view configuration (not just rendered), and if the method is outside that list allow it to be invoked.


        There are no comments yet on this issue.


          • Assignee:
            Nisha Gupta (Inactive)
            Jerry Neal (Inactive)
          • Votes:
            0 Vote for this issue
            2 Start watching this issue


            • Created:

              Time Tracking

              Original Estimate - 1 day
              Remaining Estimate - 1 day
              Time Spent - Not Specified
              Not Specified


                  Structure Helper Panel