A malicious user logged in to a valid linked UA account could send requests to the system requesting data related to other users. In order to prevent this from happening, all page parameters must be validated to ensure that they are somehow traceable back to the currently logged in user. How this is determined is different for each type of record. For example, a Payment can be traced back to the Participant via the Case it was issued on.
The curam.citizenaccount.security.impl.CitizenAccountSecurity API offers methods to perform these checks for the types of records that are served to citizens by the OOTB pages. Please review the javadoc of this API for specific information. For custom pages that serve different kinds of data, additional checks must be implemented to validate the page parameters. These should be added to a custom security API and invoked by the façade methods in question. The methods should check to see if the record requested can be traced back to the currently logged in user, and if not, it should log the user name, method name and other data, and fail the transaction immediately (as opposed to adding the issue to the validation helper and allowing the transaction to proceed):
if (paymentInstrument.getConcernRole().getID()
!= citizenWorkspaceAccountManager
.getLoggedInUserConcernRoleID().getID()) {
/**
* the payment instrument passed in is not related
* to the logged in user log the user name of the
* current user, the method invoked and any other
* pertinent data
*/
// throw a generic message
throw PUBLICUSERSECURITYExceptionCreator
.ERR_CITIZEN_WORKSPACE_UNAUTHORISED_METHOD_INVOKATION();
}
While as much information as possible regarding the infraction should be logged, it is important to ensure that the exceptions thrown does not expose any information that may be useful to malicious users. A generic exception should be thrown, that does not contain any information relating to what went wrong. The curam.citizenaccount.security.impl.CitizenAccountSecurity API throws a generic message stating "You are not privileged to access this page."