struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <davelnew...@gmail.com>
Subject Re: Concealing primary key in web application with struts 2 from security perspective?
Date Sat, 30 Nov 2013 15:36:19 GMT
I don't see how it could, since there are an essentially unlimited number
of back ends, authorization mechanisms, etc that would need to be accounted
for. Struts 2 is agnostic when it comes to basically everything but the web
layer.
 On Nov 30, 2013 3:40 AM, "Mohit Gupta" <motgupta@gmail.com> wrote:

> I agree its not a struts 2 issue. My intention of question is just to ask
> does struts 2 provide any kind of implementation off the shelf (some kind
> of interceptor or any other approach)to address this. Thanks in advance
>
>
> On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <pbenedict@apache.org
> >wrote:
>
> > Exposing the primary key is not a security issue; you always have to key
> > off something. What you need is business logic that ensures that a user
> may
> > only access what he may. That's not a Struts issue; it's logic that you
> > need to add in your business services.
> >
> >
> > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <motgupta@gmail.com>
> wrote:
> >
> > > When you have internet facing application , its important not to expose
> > > direct object reference on UI to protect security vulnerability(where
> > user
> > > can retrieve the unauthorized data by merely changing the primary key).
> > > When you are righting the application from scratch there are various
> ways
> > > you can handle it like :-
> > >
> > > 1)Handling at data layer where query has user id in where class. user
> id
> > > should be picked from session
> > >
> > > 2)Maintaining the map reference map at server side . Key can be some
> > number
> > > generated based on some algo and value will be primary key. Then expose
> > > that number on ui . On server side get the value against that key. Even
> > if
> > > user manipulate the number corresponding value wont be found and throw
> an
> > > error. Something like this.
> > >
> > > There will be other ways also.
> > >
> > > My question is there something of similar kind available in struts 2
> >  where
> > > you can annotate the any field with primary key and it does the step 2
> > for
> > > you or any other implementation to abstract primary key.  Any ideas?
> > >
> >
> >
> >
> > --
> > Cheers,
> > Paul
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message