I don't see what the 'serious security issue' that could result from
someone finding out what the primary key of a persistent entity is. The
only possible thing I can think of is somebody doing some magic t change
it so it gets sent back in the request as a different value. That being
said, presumably the person using the system is a person who would not
want to do that... otherwise they wouldn't have credentials to get in in
the first place.
Willie... can you expand upon your thoughts here please?
Matt Raible wrote:
On 3/9/07, wnqq <[EMAIL PROTECTED]> wrote:
In the Struts2 tutorial page:
http://appfuse.org/display/APF/Using+Struts+2
It shows how to use Struts2 to write CRUD for the entity "Person".
Because it use the id (the PK of Person) that is shown on the web
page to
identity which record of person to use, it apparently causes a serious
security issue.
Why? I've been developing webapps this way for several years w/o any
issues.
I made a few changes to remove the id from the jsp pages and instead
store
it in the HttpSession.
What I changes include:
- PersonAction/Test,
- web-tests.xml,
- personList.jsp, etc.
Doesn't sound very scalable to me. I think you're a bit too paranoid.
;-)
Matt
If, in the future, you would like to update the tutorial as not
showing id
on the web, please let me know and it will be my pleasure to upload
my code
for your references.
--
View this message in context:
http://www.nabble.com/hide-id-of-person-from-the-web-pages-tf3376792s2369.html#a9398113
Sent from the AppFuse - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
