struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mohit Gupta <motgu...@gmail.com>
Subject Re: Concealing primary key in web application with struts 2 from security perspective?
Date Sat, 30 Nov 2013 18:17:04 GMT
Guys looks like i was not clear in my question earlier. My requirement is
something like this

i make a call to struts 2 action which forwards the request to customer.jsp
which populates the fields from CustomerInfo.java (data object). Say
CustomerInfo has a field customerId .Assume its value was 100 when response
was sent to user on UI. But some hacker/user changes the value to 300 to
see some unauthorize data.

What i am trying to ask here does struts 2 provide any inbuilt interceptor
so that it can track those secure fields(assume i have
annotated customerId  with some annotation say @secureId) modification and
throw error in case it is modified.


On Sat, Nov 30, 2013 at 10:41 PM, Paul Benedict <pbenedict@apache.org>wrote:

> Mohit, feel free to check out Spring Security. It works with any framework
> to authenticate or authorize resources; it just becomes your responsibility
> to configure it correctly.
>
>
> On Sat, Nov 30, 2013 at 9:36 AM, Dave Newton <davelnewton@gmail.com>
> wrote:
>
> > I don't see how it could, since there are an essentially unlimited number
> > of back ends, authorization mechanisms, etc that would need to be
> accounted
> > for. Struts 2 is agnostic when it comes to basically everything but the
> web
> > layer.
> >  On Nov 30, 2013 3:40 AM, "Mohit Gupta" <motgupta@gmail.com> wrote:
> >
> > > I agree its not a struts 2 issue. My intention of question is just to
> ask
> > > does struts 2 provide any kind of implementation off the shelf (some
> kind
> > > of interceptor or any other approach)to address this. Thanks in advance
> > >
> > >
> > > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <pbenedict@apache.org
> > > >wrote:
> > >
> > > > Exposing the primary key is not a security issue; you always have to
> > key
> > > > off something. What you need is business logic that ensures that a
> user
> > > may
> > > > only access what he may. That's not a Struts issue; it's logic that
> you
> > > > need to add in your business services.
> > > >
> > > >
> > > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <motgupta@gmail.com>
> > > wrote:
> > > >
> > > > > When you have internet facing application , its important not to
> > expose
> > > > > direct object reference on UI to protect security
> vulnerability(where
> > > > user
> > > > > can retrieve the unauthorized data by merely changing the primary
> > key).
> > > > > When you are righting the application from scratch there are
> various
> > > ways
> > > > > you can handle it like :-
> > > > >
> > > > > 1)Handling at data layer where query has user id in where class.
> user
> > > id
> > > > > should be picked from session
> > > > >
> > > > > 2)Maintaining the map reference map at server side . Key can be
> some
> > > > number
> > > > > generated based on some algo and value will be primary key. Then
> > expose
> > > > > that number on ui . On server side get the value against that key.
> > Even
> > > > if
> > > > > user manipulate the number corresponding value wont be found and
> > throw
> > > an
> > > > > error. Something like this.
> > > > >
> > > > > There will be other ways also.
> > > > >
> > > > > My question is there something of similar kind available in struts
> 2
> > > >  where
> > > > > you can annotate the any field with primary key and it does the
> step
> > 2
> > > > for
> > > > > you or any other implementation to abstract primary key.  Any
> ideas?
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Cheers,
> > > > Paul
> > > >
> > >
> >
>
>
>
> --
> Cheers,
> Paul
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message