Lightweight, Component-based, and Database-oriented Web Application Framework

About | Overview | Documentation


Documentation > Tutorial > 9.2 Application access control: Component

9.2 Application access control: Component


Still at the AAT's main page of mygb application, click the "Component Access Control" main link. List of available components that previously registered via ADT should be listed as below.


Do remember that "mygb_entry_list_admin" is the component that by default is selected when the "Admin" page is accessed by the users. It provides logic to view the current list of guestbook entries. It also render links and form elements so the user can do other operations such as insert new entries or update and delete an existing entries. There are also currently no users or groups have been assign to "mygb_entry_list_admin" component thus make it publicly available to be accessed by any type of users including the anonymous.

Theoretically, limiting the access of "mygb_entry_list_admin" component to certain user/group will also block other services behind it (insert, update, and delete operations) from other user/group. Let's start experimenting with this theory by clicking the "0" link at the "Users Assigned" column of "mygb_entry_list_admin" component row [1]. The AAT will then display the current users which have been assigned with the privilege to access "mygb_entry_list_admin" component as below.


Click the "Open List" link [2] to list all potential users available to be included to have the access privilege on "mygb_entry_list_admin" component. From all the users listed inside the "Add Potential Users" table, select the user "admin" [3] and then click the "Add Selected" button [4]. As shown below, the list is now updated with the "admin" is the only user that has the privilege to access "mygb_entry_list_admin" component.


Click the "Component Access Control" link [5] to go back to the main list of the application components. As shown below, "mygb_entry_list_admin" component is now highlighted with one user has been assigned to it. This new setting implied that there is only one user can access "mygb_entry_list_admin" component that is the "admin".


To test the above component's access privilege setting, go back to browser's window/tab of mygb application and then click the "About" main link. The "About" page will be displayed as below. Make sure that current user's session used to access mygb application is still made by anonymous type user.


From the "About" page click back the "Admin" main link and the framework will display component access error as below.


At this stage everything seems look fine with anonymous user is now can't an access the "Admin" page. However, it's actually too easy to break the access control via CGI parameter tampering. As shown above, it can be done by simply adding the CGI parameter and value pair "task=mygb_entry_multirows_insert" at the end of the original URL get data [6].

Refreshing browser content using the above new modified URL get data will make application runtime bypassing the "mygb_entry_list_admin" component and run the component for multi-row insert operation as below.


To resolve this access control hole, all other related components of guestbook's "Admin" page must also be implemented with limited access control privilege as has been done to the "mygb_entry_list_admin" component previously. It can be accomplished in more practical manner from the user's context.

Go to AAT's "User" administration page and then click the link of "Components Assigned" column of the "admin" user [7].


The AAT will display the components which access privilege have been assigned to the user "admin". As shown below, there should be only single component that is the "mygb_entry_list_admin" that has been assigned.


Click the "Open List" link [8] to list all other potential components to be assigned. From all the components listed inside the "Add Potential Components" table, select components that related to guestbook's "Admin" page [9] and then click the "Add Selected" button [10].

Go back to the "Admin" page of mygb application and then try again to access the multi-row insert operation page using the previous CGI parameter tampering approach. As shown below, the framework should now block anonymous user from being able to access this particular application component.


Do try to access other related components of guestbook's "Admin" page via CGI parameter tampering to make sure that all of them have been secured by the framework from being accessed anonymously.