struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Concealing primary key in web application with struts 2 from security perspective?
Date Sat, 30 Nov 2013 15:35:46 GMT

  


> Date: Sat, 30 Nov 2013 10:54:25 +0530
> Subject: Concealing primary key in web application with struts 2 from security perspective?
> From: motgupta@gmail.com
> To: user@struts.apache.org
> 
> When you have internet facing application , its important not to expose
> direct object reference on UI to protect security vulnerability(where user
> can retrieve the unauthorized data by merely changing the primary key).
> When you are righting the application from scratch there are various ways
> you can handle it like :-
MG>?what is righting ...please explain?
 
> 1)Handling at data layer where query has user id in where class. user id
> should be picked from session
> 
> 2)Maintaining the map reference map at server side . Key can be some number
> generated based on some algo and value will be primary key. Then expose
> that number on ui . On server side get the value against that key. Even if
> user manipulate the number corresponding value wont be found and throw an
> error. Something like this.
> 
> There will be other ways also.
MG>Park you webapp on a server which guards outside entry by funneling thru a Secure TLS
connector...start here
MG>http://www.digicert.com/ssl-certificate-installation-ibm-websphere.htm
MG>Feel free to pingback with any questions
 
> My question is there something of similar kind available in struts 2 where
> you can annotate the any field with primary key and it does the step 2 for
> you or any other implementation to abstract primary key. Any ideas?
MG>most apps dont interact directly with Database but would go thru :
MG>ORM .. unique key would need to be mapped to ORM defined Attribute
MG>EntityManager unique key would need to be mapped to EntityManager defined Attribute
		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message