0

i am working on a java/j2ee based web application where i have one module called leave management in which when the employee request for the leave the manager approves or reject leave by log in to the application,Here log in into the application creates an extra overhead for the user , so i am trying to implement a feature where the manager can approve or reject the from his/her mail itself as mail is sent to the manager every time the employee request for leave based on the parameters in the url in the link like this without log in to the application https://my.xyz.com//LEAVE#LeaveReq#123#1545#State

So my question is

  1. Is it possible to achieve this without log in to the application and saving values to the database and without breaching the security.

2.If yes, how can i implement this?

saurabh
  • 237
  • 6
  • 20
  • So if anyone has the link (even me) they can approve the vacation? – Scary Wombat Jul 17 '15 at 06:07
  • what kind of framework or you using? are you just using filters to manage your security? – Sri Tirupathi Raju Jul 17 '15 at 06:08
  • You (possibly) could, but it would be security hole, how would you proof the identity of the user? What happens when a manager claims that they never authorised/rejected the leave that's in the system, how would you prove it other wise? May consider single sign in or maybe even a longer session cookie ... or just about anything else... – MadProgrammer Jul 17 '15 at 06:08
  • @ScaryWombat not exactly it should be unique link and should work only for the particular user – saurabh Jul 17 '15 at 06:08
  • @TirupathiRaju i am using servlets – saurabh Jul 17 '15 at 06:10
  • @MadProgrammer: now a days this became a standard practice. The email authentication is considered good enough and we used it in quite a few places. – Dakshinamurthy Karra Jul 17 '15 at 06:21
  • @KDM Still think it's a security risk, but I guess any computer connected to a network is security risk – MadProgrammer Jul 17 '15 at 06:23
  • @MadProgrammer depends on how critical you consider something. If the authorisation of the request is mostly a formality, limiting the impact on workload is far more important than making it impossible to "hack". And in any company I've worked for that's the case, plus of course the manager would find out you're on unauthorised leave when someone calls him to ask where the heck you are, and there are no doubt checks in the system also to certify that people don't take more leave than they're granted in their contracts. – jwenting Jul 30 '15 at 05:34

5 Answers5

1

Yes you could. Just pass in some other parameters like say we call it token which would contain a "random" string which is currently in your database.

Each request that doesn't require authentication should also pass in this token. You check the token in your database if it is there then do the request, if not, you know what to do. If a token is consumed, you could either delete it from your DB (meaning each token is one-time use only).

EDIT: Regarding whether the correct manager approves/reject, well that's difficult without something like authentication to identity the manager.

We just rely on the fact that that URL can only be used once, and that it can only be seen on the email of the appropriate person.

Rey Libutan
  • 5,226
  • 9
  • 42
  • 73
  • I've one doubt, `token` is also apart of `url` only with other `parameters`. so what is the use of checking all these things. If I know the `token` so I can approve/reject a leave. – SatyaTNV Jul 17 '15 at 06:24
  • @Satya, yes it is not a perfect solution. As I mentioned in my answer, we only rely on the fact that the only ones (supposedly) who know this `token` is the database and the owner of the email it is being sent to. For example, a `token` is sent to my email, how would you know what it is? Unless you have my email of course. – Rey Libutan Jul 17 '15 at 06:27
  • thanks. I've some doubt so that I'm asking. Yes as you said it will difficult to others to identify which `token` is generated for each `leave request`. If some one knows the `token` then only they will do some action. – SatyaTNV Jul 17 '15 at 06:33
  • Hi, I've one more doubt. If suppose the `leave request` should be routed through `3` members like `hod`, `hr`, `manager` to `accept/reject` a leave. In this case what should I do. How can I generate a `token` to each one. Can you clarify it plz. – SatyaTNV Jul 17 '15 at 11:12
  • @Satya manager 1 gets the initial message, with a token generated for the request. He mails back to the server with his approval and token. Server confirms the token fits the message and sender, generates a new token and message to manager 2 (and saves the confirnmation from manager 1), etc. etc. all up the chain, until all stages of the chain have responded. Mind that you want to have options to have replacements for people in place in case a manager becomes unavailable due to say vacation or sick leave. – jwenting Jul 29 '15 at 11:15
  • @jwenting, all 3 managers will get a mail at a time after user request a leave. So all 3 managers are having same token. Then how this is possible. – SatyaTNV Jul 29 '15 at 11:21
  • @jwenting Thanks. so for each token must have a column in the table right. Means col1 for tok1, col2 for tok2, etc. – SatyaTNV Jul 29 '15 at 12:58
  • @Satya I'd rather go with a token table and a link table holdind foreign keys to both tables. That way you're flexible and can change the system to require more or fewer authorisations later without database changes if needed. – jwenting Jul 29 '15 at 13:02
  • @jwenting Thanks. i'm thinking that one only. – SatyaTNV Jul 29 '15 at 13:04
1

is it possible? Certainly.
Is it desirable? Maybe not. What prevents someone else from sending that confirmation email? You need to find a way to secure it all.
How to do it? A REST webservice comes to mind, with the manager just clicking a link in that automatically generated email which launches a webservice request.
Or you set up a system where the server can receive emails, and the manager can then just forward the leave request to either of 2 email addresses.

jwenting
  • 5,505
  • 2
  • 25
  • 30
1

There should be at least single authentication like a pin code or password before manager approve or disapprove the leave. Don't think about overhead, for such circumstances security is equally important.

Rhushikesh Chaudhari
  • 314
  • 3
  • 12
1

Is it possible to achieve this without log in to the application and saving values to the database and without breaching the security.

When the manager gets an email & he clicks on the approve. Ideally a request is fired from manager's system carrying an authentication token or something like a remember me token. In this case the application won't prompt the manager to login. It will tally the request token with token stored in the db & would let manager in.

Check how remember me works in web applications. You can create a remember me token for manager for an indefinite amount of time. This way the app will never prompt the manager for a login. But there is a caveat, this approach is a little vulnerable for attack. If there is a man in middle attack the hacker will get hold of the manager's client side cookies & would always login with ease. The auth token should be changed periodically. You can always implement remember me, it just depends on what level of security you require.

Bottom line: Yes it is possible, generate a remember me token which will always be included in the manager's email request for approving employee's leave request. Just follow the best practices to implement a remember me token.

Another way is

If your application is implementing security using filters. You can bypass the request for leave approval. Just put a secure none attribute for that particular request in ant style say "yourapp/approval" resource. Now the server side code would let all the requests in this pattern pass without security check. But this approach is a strict No No. If this happens a hacker which intercepts the leave request from the employee's browser can approve his leave by himself. No need of manager's authentication.

If yes, how can i implement this?

Implementing remember-me for a website

You can also integrate Spring Security with your code. It's hell of a framework, one stop solution for all the security related features which your app would require. You don't have to write the login for implementing auth token & stuff from scratch.

Community
  • 1
  • 1
underdog
  • 4,447
  • 9
  • 44
  • 89
1

Is it possible? Certainly.

Is it desirable? Yes

Use a one time hash(sha1 hash may be) in the link to approve and after approving the email, send an email to the person who approved the email saying that "He/She has approved a leave for this particular person" So the manager/authorizer is aware about it.

How password rest with an email link works could be a good analogy.

I think login is not critical for this scenario assuming that cancelling a approved leave is not that critical.(It happens usually in many companies)

tharindu_DG
  • 8,900
  • 6
  • 52
  • 64