Thanks Ahmed. As you told its available in jsf,shiro .what about struts?
On Sun, Dec 1, 2013 at 2:13 AM, Ahmed Khan <ahmadkha...@gmail.com> wrote: > Try other frameworks like Apache Shiro. Also JSF has a builtin feature > where fields marked as disabled or read only are not transferred to and fom > the client. > > > > > On Sat, Nov 30, 2013 at 9:43 PM, Dave Newton <davelnew...@gmail.com> > wrote: > > > No, I think everyone understood. Struts is authorization-agnostic. > > On Nov 30, 2013 2:17 PM, "Mohit Gupta" <motgu...@gmail.com> wrote: > > > > > Guys looks like i was not clear in my question earlier. My requirement > is > > > something like this > > > > > > i make a call to struts 2 action which forwards the request to > > customer.jsp > > > which populates the fields from CustomerInfo.java (data object). Say > > > CustomerInfo has a field customerId .Assume its value was 100 when > > response > > > was sent to user on UI. But some hacker/user changes the value to 300 > to > > > see some unauthorize data. > > > > > > What i am trying to ask here does struts 2 provide any inbuilt > > interceptor > > > so that it can track those secure fields(assume i have > > > annotated customerId with some annotation say @secureId) modification > > and > > > throw error in case it is modified. > > > > > > > > > On Sat, Nov 30, 2013 at 10:41 PM, Paul Benedict <pbened...@apache.org > > > >wrote: > > > > > > > Mohit, feel free to check out Spring Security. It works with any > > > framework > > > > to authenticate or authorize resources; it just becomes your > > > responsibility > > > > to configure it correctly. > > > > > > > > > > > > On Sat, Nov 30, 2013 at 9:36 AM, Dave Newton <davelnew...@gmail.com> > > > > wrote: > > > > > > > > > I don't see how it could, since there are an essentially unlimited > > > number > > > > > of back ends, authorization mechanisms, etc that would need to be > > > > accounted > > > > > for. Struts 2 is agnostic when it comes to basically everything but > > the > > > > web > > > > > layer. > > > > > On Nov 30, 2013 3:40 AM, "Mohit Gupta" <motgu...@gmail.com> > wrote: > > > > > > > > > > > I agree its not a struts 2 issue. My intention of question is > just > > to > > > > ask > > > > > > does struts 2 provide any kind of implementation off the shelf > > (some > > > > kind > > > > > > of interceptor or any other approach)to address this. Thanks in > > > advance > > > > > > > > > > > > > > > > > > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict < > > > pbened...@apache.org > > > > > > >wrote: > > > > > > > > > > > > > Exposing the primary key is not a security issue; you always > have > > > to > > > > > key > > > > > > > off something. What you need is business logic that ensures > that > > a > > > > user > > > > > > may > > > > > > > only access what he may. That's not a Struts issue; it's logic > > that > > > > you > > > > > > > need to add in your business services. > > > > > > > > > > > > > > > > > > > > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta < > > motgu...@gmail.com> > > > > > > wrote: > > > > > > > > > > > > > > > When you have internet facing application , its important not > > to > > > > > expose > > > > > > > > direct object reference on UI to protect security > > > > vulnerability(where > > > > > > > user > > > > > > > > can retrieve the unauthorized data by merely changing the > > primary > > > > > key). > > > > > > > > When you are righting the application from scratch there are > > > > various > > > > > > ways > > > > > > > > you can handle it like :- > > > > > > > > > > > > > > > > 1)Handling at data layer where query has user id in where > > class. > > > > user > > > > > > id > > > > > > > > should be picked from session > > > > > > > > > > > > > > > > 2)Maintaining the map reference map at server side . Key can > be > > > > some > > > > > > > number > > > > > > > > generated based on some algo and value will be primary key. > > Then > > > > > expose > > > > > > > > that number on ui . On server side get the value against that > > > key. > > > > > Even > > > > > > > if > > > > > > > > user manipulate the number corresponding value wont be found > > and > > > > > throw > > > > > > an > > > > > > > > error. Something like this. > > > > > > > > > > > > > > > > There will be other ways also. > > > > > > > > > > > > > > > > My question is there something of similar kind available in > > > struts > > > > 2 > > > > > > > where > > > > > > > > you can annotate the any field with primary key and it does > the > > > > step > > > > > 2 > > > > > > > for > > > > > > > > you or any other implementation to abstract primary key. Any > > > > ideas? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Cheers, > > > > > > > Paul > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Cheers, > > > > Paul > > > > > > > > > > > > > -- > ------------------------------------ > http://www.operationbadar.net >
