On Security

Mihai7 · October 25, 2012, 4:35pm

Hi guys,

Is this pattern safe for use?

I’m asking if it’s possible for normal users to engineer a call to a non-rendered component) and gain elevated rights.

// Create button.
Button myButton = ...;

// Listen to clicks.
myButton.addListener(new Button.ClickListener() {
    void clicked(...) {
        securitySensitiveOperation();
    }
}

// Later, remove it from the tree.
if (normalUser) {
    myButton.getParent().removeComponent(myButton);
}

Is this safe, or dangerous? If dangerous, I will use a different pattern, one in which I never register a listener for normal users.

Thomas · October 26, 2012, 9:49am

No, that is completely fine. Components that are not part of the UI hierarchy do not exist on the client side, and are thus unreachable from the browser using any method.

Johannes13 · October 26, 2012, 12:09pm

Each attached component (or more generally, each “Paintable”) is assigned an internal ID for communication purposes. When a component is detached, its ID mapping is removed, so if someone were to forge a Vaadin UIDL request, the server would reject that as the ID does not match any component.

Even so, I’d advise clearly separating “cosmetics” (hiding UI elements that are not accessible) and the actual privilege enforcement that should be always done explicitly right before attempting the operation requiring elevated privileges.