I don't see how it could, since there are an essentially unlimited number of back ends, authorization mechanisms, etc that would need to be accounted for. Struts 2 is agnostic when it comes to basically everything but the web layer. On Nov 30, 2013 3:40 AM, "Mohit Gupta" <motgu...@gmail.com> wrote:
> I agree its not a struts 2 issue. My intention of question is just to ask > does struts 2 provide any kind of implementation off the shelf (some kind > of interceptor or any other approach)to address this. Thanks in advance > > > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <pbened...@apache.org > >wrote: > > > Exposing the primary key is not a security issue; you always have to key > > off something. What you need is business logic that ensures that a user > may > > only access what he may. That's not a Struts issue; it's logic that you > > need to add in your business services. > > > > > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <motgu...@gmail.com> > wrote: > > > > > When you have internet facing application , its important not to expose > > > direct object reference on UI to protect security vulnerability(where > > user > > > can retrieve the unauthorized data by merely changing the primary key). > > > When you are righting the application from scratch there are various > ways > > > you can handle it like :- > > > > > > 1)Handling at data layer where query has user id in where class. user > id > > > should be picked from session > > > > > > 2)Maintaining the map reference map at server side . Key can be some > > number > > > generated based on some algo and value will be primary key. Then expose > > > that number on ui . On server side get the value against that key. Even > > if > > > user manipulate the number corresponding value wont be found and throw > an > > > error. Something like this. > > > > > > There will be other ways also. > > > > > > My question is there something of similar kind available in struts 2 > > where > > > you can annotate the any field with primary key and it does the step 2 > > for > > > you or any other implementation to abstract primary key. Any ideas? > > > > > > > > > > > -- > > Cheers, > > Paul > > >
