struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mohit Gupta <>
Subject Concealing primary key in web application with struts 2 from security perspective?
Date Sat, 30 Nov 2013 05:24:25 GMT
When you have internet facing application , its important not to expose
direct object reference on UI to protect security vulnerability(where user
can retrieve the unauthorized data by merely changing the primary key).
When you are righting the application from scratch there are various ways
you can handle it like :-

1)Handling at data layer where query has user id in where class. user id
should be picked from session

2)Maintaining the map reference map at server side . Key can be some number
generated based on some algo and value will be primary key. Then expose
that number on ui . On server side get the value against that key. Even if
user manipulate the number corresponding value wont be found and throw an
error. Something like this.

There will be other ways also.

My question is there something of similar kind available in struts 2  where
you can annotate the any field with primary key and it does the step 2 for
you or any other implementation to abstract primary key.  Any ideas?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message