Sorry that I might mislead you... Let me explain it in more details... "Person" can easily mislead us to think of "User", so let me use "Car" instead for the following discussions.
As far as I know, the code generated by AppGen (and the upcoming AMP) follows the tutorial. That means, by providing an id of an Car, we can edit or delete any Car as long as the id exists in the database. Well, the current tutorial does allow a User to be able to edit ALL or NONE of Cars. However, for a practical application, a User is allowed to control only a certain number of Cars. In that practical case, using id is not enough to restrict Users to access unauthorized Cars. For example, assuming there are total of 100 Car records in the database. Assuming 3 Cars belong to me, and I am allowed to do a filtered search (select from car where owner = 'myname') and then edit the returned list. Practically, I should not be able to edit the other 97 Cars. However, I can simply access url=/editCar.html?id=99 and then change the owner of Car (id=99) to be myself. So I can easily get one more car without paying any money. :) That's the security issue I was talking about. There are several ways to prevent it: (1) one is storing id in the session instead of showing it on the web page. (2) another one is implementing an authorization mechanism which is similar to what is applied to User. (3) etc mraible wrote: > > On 3/9/07, wnqq <[EMAIL PROTECTED]> wrote: >> >> In the Struts2 tutorial page: >> http://appfuse.org/display/APF/Using+Struts+2 >> It shows how to use Struts2 to write CRUD for the entity "Person". >> >> Because it use the id (the PK of Person) that is shown on the web page to >> identity which record of person to use, it apparently causes a serious >> security issue. > > Why? I've been developing webapps this way for several years w/o any > issues. > >> >> I made a few changes to remove the id from the jsp pages and instead >> store >> it in the HttpSession. >> What I changes include: >> - PersonAction/Test, >> - web-tests.xml, >> - personList.jsp, etc. > > Doesn't sound very scalable to me. I think you're a bit too paranoid. ;-) > > Matt > >> >> If, in the future, you would like to update the tutorial as not showing >> id >> on the web, please let me know and it will be my pleasure to upload my >> code >> for your references. >> -- >> View this message in context: >> http://www.nabble.com/hide-id-of-person-from-the-web-pages-tf3376792s2369.html#a9398113 >> Sent from the AppFuse - User mailing list archive at Nabble.com. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > -- > http://raibledesigns.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/hide-id-of-person-from-the-web-pages-tf3376792s2369.html#a9400005 Sent from the AppFuse - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
