You might get misunderstood. What I meant is the "Person" in the tutorial, not the User (AppUser).
Bryan Noll wrote: > > I don't see what the 'serious security issue' that could result from > someone finding out what the primary key of a persistent entity is. The > only possible thing I can think of is somebody doing some magic t change > it so it gets sent back in the request as a different value. That being > said, presumably the person using the system is a person who would not > want to do that... otherwise they wouldn't have credentials to get in in > the first place. > > Willie... can you expand upon your thoughts here please? > > Matt Raible wrote: >> On 3/9/07, wnqq <[EMAIL PROTECTED]> wrote: >>> >>> In the Struts2 tutorial page: >>> http://appfuse.org/display/APF/Using+Struts+2 >>> It shows how to use Struts2 to write CRUD for the entity "Person". >>> >>> Because it use the id (the PK of Person) that is shown on the web >>> page to >>> identity which record of person to use, it apparently causes a serious >>> security issue. >> >> Why? I've been developing webapps this way for several years w/o any >> issues. >> >>> >>> I made a few changes to remove the id from the jsp pages and instead >>> store >>> it in the HttpSession. >>> What I changes include: >>> - PersonAction/Test, >>> - web-tests.xml, >>> - personList.jsp, etc. >> >> Doesn't sound very scalable to me. I think you're a bit too paranoid. >> ;-) >> >> Matt >> >>> >>> If, in the future, you would like to update the tutorial as not >>> showing id >>> on the web, please let me know and it will be my pleasure to upload >>> my code >>> for your references. >>> -- >>> View this message in context: >>> http://www.nabble.com/hide-id-of-person-from-the-web-pages-tf3376792s2369.html#a9398113 >>> >>> >>> Sent from the AppFuse - User mailing list archive at Nabble.com. >>> > > -- View this message in context: http://www.nabble.com/hide-id-of-person-from-the-web-pages-tf3376792s2369.html#a9399486 Sent from the AppFuse - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
