Return-Path: 
 <user-return-215688-apmail-struts-user-archive=struts.apache.org@struts.apache.org>
X-Original-To: apmail-struts-user-archive@www.apache.org
Delivered-To: apmail-struts-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id F23EA1069B
	for <apmail-struts-user-archive@www.apache.org>;
 Sat, 30 Nov 2013 15:36:53 +0000 (UTC)
Received: (qmail 70885 invoked by uid 500); 30 Nov 2013 15:36:50 -0000
Delivered-To: apmail-struts-user-archive@struts.apache.org
Received: (qmail 70858 invoked by uid 500); 30 Nov 2013 15:36:48 -0000
Mailing-List: contact user-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:user-unsubscribe@struts.apache.org>
List-Help: <mailto:user-help@struts.apache.org>
List-Post: <mailto:user@struts.apache.org>
List-Id: "Struts Users Mailing List" <user.struts.apache.org>
Reply-To: "Struts Users Mailing List" <user@struts.apache.org>
Delivered-To: mailing list user@struts.apache.org
Received: (qmail 70847 invoked by uid 99); 30 Nov 2013 15:36:47 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 30 Nov 2013 15:36:47 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of davelnewton@gmail.com
 designates 209.85.216.52 as permitted sender)
Received: from [209.85.216.52] (HELO mail-qa0-f52.google.com) (209.85.216.52)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 30 Nov 2013 15:36:40 +0000
Received: by mail-qa0-f52.google.com with SMTP id k4so2820321qaq.4
        for <user@struts.apache.org>; Sat, 30 Nov 2013 07:36:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=UL7myCJ/4THo/Runfcvx2LRsLnQtV/mONYhKkadXB0Y=;
        b=GN1bq7CWq/5CRtClhzHPZZMdnDocfDHKhquQQJmemmpE2fvGhgFwmmj5olfztK2OqD
         FghHtGm8c6SPEEw/6+x3Kie87PV0Ox2hte72DK0cxtRLb0eU7iv5yxHTw89DYImecegX
         yKY+r3Kvbm8d758XZ5yh2IDMesqwyvznWGxwp1oxYOi4V20CPg3ayuRn/hzC1wUVxEfl
         fnxJiwZtVUeKh+t/0VFNUgrFlutEc6nWJVuzkOGCg4IS40JbK+/bOLELDpHMVMaqjUwC
         I+tHM2CWGu7tOdoIjFjzUQjdVq4QzrSUohq1jkq4brnnB9MwdSc3aPMtQ2GWZlR22vJx
         SXdg==
MIME-Version: 1.0
X-Received: by 10.49.74.138 with SMTP id t10mr13718922qev.21.1385825779427;
 Sat, 30 Nov 2013 07:36:19 -0800 (PST)
Received: by 10.96.81.1 with HTTP; Sat, 30 Nov 2013 07:36:19 -0800 (PST)
Received: by 10.96.81.1 with HTTP; Sat, 30 Nov 2013 07:36:19 -0800 (PST)
In-Reply-To: 
 <CAE_TDVjZFVthaY7uEKmdN-9iQa=iLe3kVJiGALT5pBt7g4cwdQ@mail.gmail.com>
References: 
 <CAE_TDVhaYjS6qq+umx+S5=fS_WDGkgvb+nE=7sLX9KG+8URAGQ@mail.gmail.com>
	<CABLGb9xZ5yTM2S5op7ysgBnMm3Z0y2Tt4rMTJPZFCt4O+9m0HQ@mail.gmail.com>
	<CAE_TDVjZFVthaY7uEKmdN-9iQa=iLe3kVJiGALT5pBt7g4cwdQ@mail.gmail.com>
Date: Sat, 30 Nov 2013 10:36:19 -0500
Message-ID: 
 <CADJJoV5cmi5BedehqN2RV_pe+LS+SvC4hBxHODFz_osSB7Dihw@mail.gmail.com>
Subject: Re: Concealing primary key in web application with struts 2 from
 security perspective?
From: Dave Newton <davelnewton@gmail.com>
To: Struts Users Mailing List <user@struts.apache.org>
Content-Type: multipart/alternative; boundary=047d7bdc13fe4ddfef04ec66b509
X-Virus-Checked: Checked by ClamAV on apache.org

--047d7bdc13fe4ddfef04ec66b509
Content-Type: text/plain; charset=ISO-8859-1

I don't see how it could, since there are an essentially unlimited number
of back ends, authorization mechanisms, etc that would need to be accounted
for. Struts 2 is agnostic when it comes to basically everything but the web
layer.
 On Nov 30, 2013 3:40 AM, "Mohit Gupta" <motgupta@gmail.com> wrote:

> I agree its not a struts 2 issue. My intention of question is just to ask
> does struts 2 provide any kind of implementation off the shelf (some kind
> of interceptor or any other approach)to address this. Thanks in advance
>
>
> On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <pbenedict@apache.org
> >wrote:
>
> > Exposing the primary key is not a security issue; you always have to key
> > off something. What you need is business logic that ensures that a user
> may
> > only access what he may. That's not a Struts issue; it's logic that you
> > need to add in your business services.
> >
> >
> > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <motgupta@gmail.com>
> wrote:
> >
> > > When you have internet facing application , its important not to expose
> > > direct object reference on UI to protect security vulnerability(where
> > user
> > > can retrieve the unauthorized data by merely changing the primary key).
> > > When you are righting the application from scratch there are various
> ways
> > > you can handle it like :-
> > >
> > > 1)Handling at data layer where query has user id in where class. user
> id
> > > should be picked from session
> > >
> > > 2)Maintaining the map reference map at server side . Key can be some
> > number
> > > generated based on some algo and value will be primary key. Then expose
> > > that number on ui . On server side get the value against that key. Even
> > if
> > > user manipulate the number corresponding value wont be found and throw
> an
> > > error. Something like this.
> > >
> > > There will be other ways also.
> > >
> > > My question is there something of similar kind available in struts 2
> >  where
> > > you can annotate the any field with primary key and it does the step 2
> > for
> > > you or any other implementation to abstract primary key.  Any ideas?
> > >
> >
> >
> >
> > --
> > Cheers,
> > Paul
> >
>

--047d7bdc13fe4ddfef04ec66b509--