B
Buu Nguyen
Hi everyone,
Our company is developing a distributed RMI application for a
hospital. In this app, the permissions of accessing remote services
depend on the role of the user. Currently, we are thinking of putting
the security check on the GUI, i.e. if the user cannot perform a
delete action then the delete button is disabled however there are 2
issues regarding this (???):
-We wonder if it is possible for a program to change the state of a
control (i.e. enable a button) of the Java GUI?
-Secondly, what if someone just write another client app, retrieving
the services from the registry and invoke the methods of them?
Are the 2 actions are possible?
-If no, then is it true that we can go on with the client security
check only or there is other threat besides the above?
-If yes, then we have to perform another check on the server-side,
i.e. place in every single remote method a security check against the
user passed in the method as well (as a additional parameter)? Or is
there any better way to do this kind of server check?
We are looking forwards to any ideas and suggestions!
Thank you!
Our company is developing a distributed RMI application for a
hospital. In this app, the permissions of accessing remote services
depend on the role of the user. Currently, we are thinking of putting
the security check on the GUI, i.e. if the user cannot perform a
delete action then the delete button is disabled however there are 2
issues regarding this (???):
-We wonder if it is possible for a program to change the state of a
control (i.e. enable a button) of the Java GUI?
-Secondly, what if someone just write another client app, retrieving
the services from the registry and invoke the methods of them?
Are the 2 actions are possible?
-If no, then is it true that we can go on with the client security
check only or there is other threat besides the above?
-If yes, then we have to perform another check on the server-side,
i.e. place in every single remote method a security check against the
user passed in the method as well (as a additional parameter)? Or is
there any better way to do this kind of server check?
We are looking forwards to any ideas and suggestions!
Thank you!