You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Mohit Gupta <mo...@gmail.com> on 2013/11/30 06:24:25 UTC
Concealing primary key in web application with struts 2 from security perspective?
When you have internet facing application , its important not to expose
direct object reference on UI to protect security vulnerability(where user
can retrieve the unauthorized data by merely changing the primary key).
When you are righting the application from scratch there are various ways
you can handle it like :-
1)Handling at data layer where query has user id in where class. user id
should be picked from session
2)Maintaining the map reference map at server side . Key can be some number
generated based on some algo and value will be primary key. Then expose
that number on ui . On server side get the value against that key. Even if
user manipulate the number corresponding value wont be found and throw an
error. Something like this.
There will be other ways also.
My question is there something of similar kind available in struts 2 where
you can annotate the any field with primary key and it does the step 2 for
you or any other implementation to abstract primary key. Any ideas?
RE: Concealing primary key in web application with struts 2 from
security perspective?
Posted by Martin Gainty <mg...@hotmail.com>.
> Date: Sat, 30 Nov 2013 10:54:25 +0530
> Subject: Concealing primary key in web application with struts 2 from security perspective?
> From: motgupta@gmail.com
> To: user@struts.apache.org
>
> When you have internet facing application , its important not to expose
> direct object reference on UI to protect security vulnerability(where user
> can retrieve the unauthorized data by merely changing the primary key).
> When you are righting the application from scratch there are various ways
> you can handle it like :-
MG>?what is righting ...please explain?
> 1)Handling at data layer where query has user id in where class. user id
> should be picked from session
>
> 2)Maintaining the map reference map at server side . Key can be some number
> generated based on some algo and value will be primary key. Then expose
> that number on ui . On server side get the value against that key. Even if
> user manipulate the number corresponding value wont be found and throw an
> error. Something like this.
>
> There will be other ways also.
MG>Park you webapp on a server which guards outside entry by funneling thru a Secure TLS connector...start here
MG>http://www.digicert.com/ssl-certificate-installation-ibm-websphere.htm
MG>Feel free to pingback with any questions
> My question is there something of similar kind available in struts 2 where
> you can annotate the any field with primary key and it does the step 2 for
> you or any other implementation to abstract primary key. Any ideas?
MG>most apps dont interact directly with Database but would go thru :
MG>ORM .. unique key would need to be mapped to ORM defined Attribute
MG>EntityManager unique key would need to be mapped to EntityManager defined Attribute
Re: Concealing primary key in web application with struts 2 from
security perspective?
Posted by Mohit Gupta <mo...@gmail.com>.
Thanks Ahmed. As you told its available in jsf,shiro .what about struts?
On Sun, Dec 1, 2013 at 2:13 AM, Ahmed Khan <ah...@gmail.com> wrote:
> Try other frameworks like Apache Shiro. Also JSF has a builtin feature
> where fields marked as disabled or read only are not transferred to and fom
> the client.
>
>
>
>
> On Sat, Nov 30, 2013 at 9:43 PM, Dave Newton <da...@gmail.com>
> wrote:
>
> > No, I think everyone understood. Struts is authorization-agnostic.
> > On Nov 30, 2013 2:17 PM, "Mohit Gupta" <mo...@gmail.com> wrote:
> >
> > > Guys looks like i was not clear in my question earlier. My requirement
> is
> > > something like this
> > >
> > > i make a call to struts 2 action which forwards the request to
> > customer.jsp
> > > which populates the fields from CustomerInfo.java (data object). Say
> > > CustomerInfo has a field customerId .Assume its value was 100 when
> > response
> > > was sent to user on UI. But some hacker/user changes the value to 300
> to
> > > see some unauthorize data.
> > >
> > > What i am trying to ask here does struts 2 provide any inbuilt
> > interceptor
> > > so that it can track those secure fields(assume i have
> > > annotated customerId with some annotation say @secureId) modification
> > and
> > > throw error in case it is modified.
> > >
> > >
> > > On Sat, Nov 30, 2013 at 10:41 PM, Paul Benedict <pbenedict@apache.org
> > > >wrote:
> > >
> > > > Mohit, feel free to check out Spring Security. It works with any
> > > framework
> > > > to authenticate or authorize resources; it just becomes your
> > > responsibility
> > > > to configure it correctly.
> > > >
> > > >
> > > > On Sat, Nov 30, 2013 at 9:36 AM, Dave Newton <da...@gmail.com>
> > > > wrote:
> > > >
> > > > > I don't see how it could, since there are an essentially unlimited
> > > number
> > > > > of back ends, authorization mechanisms, etc that would need to be
> > > > accounted
> > > > > for. Struts 2 is agnostic when it comes to basically everything but
> > the
> > > > web
> > > > > layer.
> > > > > On Nov 30, 2013 3:40 AM, "Mohit Gupta" <mo...@gmail.com>
> wrote:
> > > > >
> > > > > > I agree its not a struts 2 issue. My intention of question is
> just
> > to
> > > > ask
> > > > > > does struts 2 provide any kind of implementation off the shelf
> > (some
> > > > kind
> > > > > > of interceptor or any other approach)to address this. Thanks in
> > > advance
> > > > > >
> > > > > >
> > > > > > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <
> > > pbenedict@apache.org
> > > > > > >wrote:
> > > > > >
> > > > > > > Exposing the primary key is not a security issue; you always
> have
> > > to
> > > > > key
> > > > > > > off something. What you need is business logic that ensures
> that
> > a
> > > > user
> > > > > > may
> > > > > > > only access what he may. That's not a Struts issue; it's logic
> > that
> > > > you
> > > > > > > need to add in your business services.
> > > > > > >
> > > > > > >
> > > > > > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <
> > motgupta@gmail.com>
> > > > > > wrote:
> > > > > > >
> > > > > > > > When you have internet facing application , its important not
> > to
> > > > > expose
> > > > > > > > direct object reference on UI to protect security
> > > > vulnerability(where
> > > > > > > user
> > > > > > > > can retrieve the unauthorized data by merely changing the
> > primary
> > > > > key).
> > > > > > > > When you are righting the application from scratch there are
> > > > various
> > > > > > ways
> > > > > > > > you can handle it like :-
> > > > > > > >
> > > > > > > > 1)Handling at data layer where query has user id in where
> > class.
> > > > user
> > > > > > id
> > > > > > > > should be picked from session
> > > > > > > >
> > > > > > > > 2)Maintaining the map reference map at server side . Key can
> be
> > > > some
> > > > > > > number
> > > > > > > > generated based on some algo and value will be primary key.
> > Then
> > > > > expose
> > > > > > > > that number on ui . On server side get the value against that
> > > key.
> > > > > Even
> > > > > > > if
> > > > > > > > user manipulate the number corresponding value wont be found
> > and
> > > > > throw
> > > > > > an
> > > > > > > > error. Something like this.
> > > > > > > >
> > > > > > > > There will be other ways also.
> > > > > > > >
> > > > > > > > My question is there something of similar kind available in
> > > struts
> > > > 2
> > > > > > > where
> > > > > > > > you can annotate the any field with primary key and it does
> the
> > > > step
> > > > > 2
> > > > > > > for
> > > > > > > > you or any other implementation to abstract primary key. Any
> > > > ideas?
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Cheers,
> > > > > > > Paul
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Cheers,
> > > > Paul
> > > >
> > >
> >
>
>
>
> --
> ------------------------------------
> http://www.operationbadar.net
>
Re: Concealing primary key in web application with struts 2 from
security perspective?
Posted by Ahmed Khan <ah...@gmail.com>.
Try other frameworks like Apache Shiro. Also JSF has a builtin feature
where fields marked as disabled or read only are not transferred to and fom
the client.
On Sat, Nov 30, 2013 at 9:43 PM, Dave Newton <da...@gmail.com> wrote:
> No, I think everyone understood. Struts is authorization-agnostic.
> On Nov 30, 2013 2:17 PM, "Mohit Gupta" <mo...@gmail.com> wrote:
>
> > Guys looks like i was not clear in my question earlier. My requirement is
> > something like this
> >
> > i make a call to struts 2 action which forwards the request to
> customer.jsp
> > which populates the fields from CustomerInfo.java (data object). Say
> > CustomerInfo has a field customerId .Assume its value was 100 when
> response
> > was sent to user on UI. But some hacker/user changes the value to 300 to
> > see some unauthorize data.
> >
> > What i am trying to ask here does struts 2 provide any inbuilt
> interceptor
> > so that it can track those secure fields(assume i have
> > annotated customerId with some annotation say @secureId) modification
> and
> > throw error in case it is modified.
> >
> >
> > On Sat, Nov 30, 2013 at 10:41 PM, Paul Benedict <pbenedict@apache.org
> > >wrote:
> >
> > > Mohit, feel free to check out Spring Security. It works with any
> > framework
> > > to authenticate or authorize resources; it just becomes your
> > responsibility
> > > to configure it correctly.
> > >
> > >
> > > On Sat, Nov 30, 2013 at 9:36 AM, Dave Newton <da...@gmail.com>
> > > wrote:
> > >
> > > > I don't see how it could, since there are an essentially unlimited
> > number
> > > > of back ends, authorization mechanisms, etc that would need to be
> > > accounted
> > > > for. Struts 2 is agnostic when it comes to basically everything but
> the
> > > web
> > > > layer.
> > > > On Nov 30, 2013 3:40 AM, "Mohit Gupta" <mo...@gmail.com> wrote:
> > > >
> > > > > I agree its not a struts 2 issue. My intention of question is just
> to
> > > ask
> > > > > does struts 2 provide any kind of implementation off the shelf
> (some
> > > kind
> > > > > of interceptor or any other approach)to address this. Thanks in
> > advance
> > > > >
> > > > >
> > > > > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <
> > pbenedict@apache.org
> > > > > >wrote:
> > > > >
> > > > > > Exposing the primary key is not a security issue; you always have
> > to
> > > > key
> > > > > > off something. What you need is business logic that ensures that
> a
> > > user
> > > > > may
> > > > > > only access what he may. That's not a Struts issue; it's logic
> that
> > > you
> > > > > > need to add in your business services.
> > > > > >
> > > > > >
> > > > > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <
> motgupta@gmail.com>
> > > > > wrote:
> > > > > >
> > > > > > > When you have internet facing application , its important not
> to
> > > > expose
> > > > > > > direct object reference on UI to protect security
> > > vulnerability(where
> > > > > > user
> > > > > > > can retrieve the unauthorized data by merely changing the
> primary
> > > > key).
> > > > > > > When you are righting the application from scratch there are
> > > various
> > > > > ways
> > > > > > > you can handle it like :-
> > > > > > >
> > > > > > > 1)Handling at data layer where query has user id in where
> class.
> > > user
> > > > > id
> > > > > > > should be picked from session
> > > > > > >
> > > > > > > 2)Maintaining the map reference map at server side . Key can be
> > > some
> > > > > > number
> > > > > > > generated based on some algo and value will be primary key.
> Then
> > > > expose
> > > > > > > that number on ui . On server side get the value against that
> > key.
> > > > Even
> > > > > > if
> > > > > > > user manipulate the number corresponding value wont be found
> and
> > > > throw
> > > > > an
> > > > > > > error. Something like this.
> > > > > > >
> > > > > > > There will be other ways also.
> > > > > > >
> > > > > > > My question is there something of similar kind available in
> > struts
> > > 2
> > > > > > where
> > > > > > > you can annotate the any field with primary key and it does the
> > > step
> > > > 2
> > > > > > for
> > > > > > > you or any other implementation to abstract primary key. Any
> > > ideas?
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Cheers,
> > > > > > Paul
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Cheers,
> > > Paul
> > >
> >
>
--
------------------------------------
http://www.operationbadar.net
Re: Concealing primary key in web application with struts 2 from
security perspective?
Posted by Dave Newton <da...@gmail.com>.
No, I think everyone understood. Struts is authorization-agnostic.
On Nov 30, 2013 2:17 PM, "Mohit Gupta" <mo...@gmail.com> wrote:
> Guys looks like i was not clear in my question earlier. My requirement is
> something like this
>
> i make a call to struts 2 action which forwards the request to customer.jsp
> which populates the fields from CustomerInfo.java (data object). Say
> CustomerInfo has a field customerId .Assume its value was 100 when response
> was sent to user on UI. But some hacker/user changes the value to 300 to
> see some unauthorize data.
>
> What i am trying to ask here does struts 2 provide any inbuilt interceptor
> so that it can track those secure fields(assume i have
> annotated customerId with some annotation say @secureId) modification and
> throw error in case it is modified.
>
>
> On Sat, Nov 30, 2013 at 10:41 PM, Paul Benedict <pbenedict@apache.org
> >wrote:
>
> > Mohit, feel free to check out Spring Security. It works with any
> framework
> > to authenticate or authorize resources; it just becomes your
> responsibility
> > to configure it correctly.
> >
> >
> > On Sat, Nov 30, 2013 at 9:36 AM, Dave Newton <da...@gmail.com>
> > wrote:
> >
> > > I don't see how it could, since there are an essentially unlimited
> number
> > > of back ends, authorization mechanisms, etc that would need to be
> > accounted
> > > for. Struts 2 is agnostic when it comes to basically everything but the
> > web
> > > layer.
> > > On Nov 30, 2013 3:40 AM, "Mohit Gupta" <mo...@gmail.com> wrote:
> > >
> > > > I agree its not a struts 2 issue. My intention of question is just to
> > ask
> > > > does struts 2 provide any kind of implementation off the shelf (some
> > kind
> > > > of interceptor or any other approach)to address this. Thanks in
> advance
> > > >
> > > >
> > > > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <
> pbenedict@apache.org
> > > > >wrote:
> > > >
> > > > > Exposing the primary key is not a security issue; you always have
> to
> > > key
> > > > > off something. What you need is business logic that ensures that a
> > user
> > > > may
> > > > > only access what he may. That's not a Struts issue; it's logic that
> > you
> > > > > need to add in your business services.
> > > > >
> > > > >
> > > > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <mo...@gmail.com>
> > > > wrote:
> > > > >
> > > > > > When you have internet facing application , its important not to
> > > expose
> > > > > > direct object reference on UI to protect security
> > vulnerability(where
> > > > > user
> > > > > > can retrieve the unauthorized data by merely changing the primary
> > > key).
> > > > > > When you are righting the application from scratch there are
> > various
> > > > ways
> > > > > > you can handle it like :-
> > > > > >
> > > > > > 1)Handling at data layer where query has user id in where class.
> > user
> > > > id
> > > > > > should be picked from session
> > > > > >
> > > > > > 2)Maintaining the map reference map at server side . Key can be
> > some
> > > > > number
> > > > > > generated based on some algo and value will be primary key. Then
> > > expose
> > > > > > that number on ui . On server side get the value against that
> key.
> > > Even
> > > > > if
> > > > > > user manipulate the number corresponding value wont be found and
> > > throw
> > > > an
> > > > > > error. Something like this.
> > > > > >
> > > > > > There will be other ways also.
> > > > > >
> > > > > > My question is there something of similar kind available in
> struts
> > 2
> > > > > where
> > > > > > you can annotate the any field with primary key and it does the
> > step
> > > 2
> > > > > for
> > > > > > you or any other implementation to abstract primary key. Any
> > ideas?
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Cheers,
> > > > > Paul
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Cheers,
> > Paul
> >
>
Re: Concealing primary key in web application with struts 2 from
security perspective?
Posted by Maurizio Cucchiara <mc...@apache.org>.
The easiest way is to store the user id on the current session.
If you have no other alternatives and you have to pass the user id through
the request, then make the id unpredictable:
* use uuid
* rely on and check against one other value at least (for instance id+email)
* use cryptography (f.i. sha1(usr name, id, time, seed).
And, as already someone else said, struts doesn't have such builtin
functionality.
On 30 Nov 2013 18:17, "Mohit Gupta" <mo...@gmail.com> wrote:
> Guys looks like i was not clear in my question earlier. My requirement is
> something like this
>
> i make a call to struts 2 action which forwards the request to customer.jsp
> which populates the fields from CustomerInfo.java (data object). Say
> CustomerInfo has a field customerId .Assume its value was 100 when response
> was sent to user on UI. But some hacker/user changes the value to 300 to
> see some unauthorize data.
>
> What i am trying to ask here does struts 2 provide any inbuilt interceptor
> so that it can track those secure fields(assume i have
> annotated customerId with some annotation say @secureId) modification and
> throw error in case it is modified.
>
>
> On Sat, Nov 30, 2013 at 10:41 PM, Paul Benedict <pbenedict@apache.org
> >wrote:
>
> > Mohit, feel free to check out Spring Security. It works with any
> framework
> > to authenticate or authorize resources; it just becomes your
> responsibility
> > to configure it correctly.
> >
> >
> > On Sat, Nov 30, 2013 at 9:36 AM, Dave Newton <da...@gmail.com>
> > wrote:
> >
> > > I don't see how it could, since there are an essentially unlimited
> number
> > > of back ends, authorization mechanisms, etc that would need to be
> > accounted
> > > for. Struts 2 is agnostic when it comes to basically everything but the
> > web
> > > layer.
> > > On Nov 30, 2013 3:40 AM, "Mohit Gupta" <mo...@gmail.com> wrote:
> > >
> > > > I agree its not a struts 2 issue. My intention of question is just to
> > ask
> > > > does struts 2 provide any kind of implementation off the shelf (some
> > kind
> > > > of interceptor or any other approach)to address this. Thanks in
> advance
> > > >
> > > >
> > > > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <
> pbenedict@apache.org
> > > > >wrote:
> > > >
> > > > > Exposing the primary key is not a security issue; you always have
> to
> > > key
> > > > > off something. What you need is business logic that ensures that a
> > user
> > > > may
> > > > > only access what he may. That's not a Struts issue; it's logic that
> > you
> > > > > need to add in your business services.
> > > > >
> > > > >
> > > > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <mo...@gmail.com>
> > > > wrote:
> > > > >
> > > > > > When you have internet facing application , its important not to
> > > expose
> > > > > > direct object reference on UI to protect security
> > vulnerability(where
> > > > > user
> > > > > > can retrieve the unauthorized data by merely changing the primary
> > > key).
> > > > > > When you are righting the application from scratch there are
> > various
> > > > ways
> > > > > > you can handle it like :-
> > > > > >
> > > > > > 1)Handling at data layer where query has user id in where class.
> > user
> > > > id
> > > > > > should be picked from session
> > > > > >
> > > > > > 2)Maintaining the map reference map at server side . Key can be
> > some
> > > > > number
> > > > > > generated based on some algo and value will be primary key. Then
> > > expose
> > > > > > that number on ui . On server side get the value against that
> key.
> > > Even
> > > > > if
> > > > > > user manipulate the number corresponding value wont be found and
> > > throw
> > > > an
> > > > > > error. Something like this.
> > > > > >
> > > > > > There will be other ways also.
> > > > > >
> > > > > > My question is there something of similar kind available in
> struts
> > 2
> > > > > where
> > > > > > you can annotate the any field with primary key and it does the
> > step
> > > 2
> > > > > for
> > > > > > you or any other implementation to abstract primary key. Any
> > ideas?
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Cheers,
> > > > > Paul
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Cheers,
> > Paul
> >
>
Re: Concealing primary key in web application with struts 2 from
security perspective?
Posted by Mohit Gupta <mo...@gmail.com>.
Guys looks like i was not clear in my question earlier. My requirement is
something like this
i make a call to struts 2 action which forwards the request to customer.jsp
which populates the fields from CustomerInfo.java (data object). Say
CustomerInfo has a field customerId .Assume its value was 100 when response
was sent to user on UI. But some hacker/user changes the value to 300 to
see some unauthorize data.
What i am trying to ask here does struts 2 provide any inbuilt interceptor
so that it can track those secure fields(assume i have
annotated customerId with some annotation say @secureId) modification and
throw error in case it is modified.
On Sat, Nov 30, 2013 at 10:41 PM, Paul Benedict <pb...@apache.org>wrote:
> Mohit, feel free to check out Spring Security. It works with any framework
> to authenticate or authorize resources; it just becomes your responsibility
> to configure it correctly.
>
>
> On Sat, Nov 30, 2013 at 9:36 AM, Dave Newton <da...@gmail.com>
> wrote:
>
> > I don't see how it could, since there are an essentially unlimited number
> > of back ends, authorization mechanisms, etc that would need to be
> accounted
> > for. Struts 2 is agnostic when it comes to basically everything but the
> web
> > layer.
> > On Nov 30, 2013 3:40 AM, "Mohit Gupta" <mo...@gmail.com> wrote:
> >
> > > I agree its not a struts 2 issue. My intention of question is just to
> ask
> > > does struts 2 provide any kind of implementation off the shelf (some
> kind
> > > of interceptor or any other approach)to address this. Thanks in advance
> > >
> > >
> > > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <pbenedict@apache.org
> > > >wrote:
> > >
> > > > Exposing the primary key is not a security issue; you always have to
> > key
> > > > off something. What you need is business logic that ensures that a
> user
> > > may
> > > > only access what he may. That's not a Struts issue; it's logic that
> you
> > > > need to add in your business services.
> > > >
> > > >
> > > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <mo...@gmail.com>
> > > wrote:
> > > >
> > > > > When you have internet facing application , its important not to
> > expose
> > > > > direct object reference on UI to protect security
> vulnerability(where
> > > > user
> > > > > can retrieve the unauthorized data by merely changing the primary
> > key).
> > > > > When you are righting the application from scratch there are
> various
> > > ways
> > > > > you can handle it like :-
> > > > >
> > > > > 1)Handling at data layer where query has user id in where class.
> user
> > > id
> > > > > should be picked from session
> > > > >
> > > > > 2)Maintaining the map reference map at server side . Key can be
> some
> > > > number
> > > > > generated based on some algo and value will be primary key. Then
> > expose
> > > > > that number on ui . On server side get the value against that key.
> > Even
> > > > if
> > > > > user manipulate the number corresponding value wont be found and
> > throw
> > > an
> > > > > error. Something like this.
> > > > >
> > > > > There will be other ways also.
> > > > >
> > > > > My question is there something of similar kind available in struts
> 2
> > > > where
> > > > > you can annotate the any field with primary key and it does the
> step
> > 2
> > > > for
> > > > > you or any other implementation to abstract primary key. Any
> ideas?
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Cheers,
> > > > Paul
> > > >
> > >
> >
>
>
>
> --
> Cheers,
> Paul
>
Re: Concealing primary key in web application with struts 2 from
security perspective?
Posted by Paul Benedict <pb...@apache.org>.
Mohit, feel free to check out Spring Security. It works with any framework
to authenticate or authorize resources; it just becomes your responsibility
to configure it correctly.
On Sat, Nov 30, 2013 at 9:36 AM, Dave Newton <da...@gmail.com> wrote:
> I don't see how it could, since there are an essentially unlimited number
> of back ends, authorization mechanisms, etc that would need to be accounted
> for. Struts 2 is agnostic when it comes to basically everything but the web
> layer.
> On Nov 30, 2013 3:40 AM, "Mohit Gupta" <mo...@gmail.com> wrote:
>
> > I agree its not a struts 2 issue. My intention of question is just to ask
> > does struts 2 provide any kind of implementation off the shelf (some kind
> > of interceptor or any other approach)to address this. Thanks in advance
> >
> >
> > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <pbenedict@apache.org
> > >wrote:
> >
> > > Exposing the primary key is not a security issue; you always have to
> key
> > > off something. What you need is business logic that ensures that a user
> > may
> > > only access what he may. That's not a Struts issue; it's logic that you
> > > need to add in your business services.
> > >
> > >
> > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <mo...@gmail.com>
> > wrote:
> > >
> > > > When you have internet facing application , its important not to
> expose
> > > > direct object reference on UI to protect security vulnerability(where
> > > user
> > > > can retrieve the unauthorized data by merely changing the primary
> key).
> > > > When you are righting the application from scratch there are various
> > ways
> > > > you can handle it like :-
> > > >
> > > > 1)Handling at data layer where query has user id in where class. user
> > id
> > > > should be picked from session
> > > >
> > > > 2)Maintaining the map reference map at server side . Key can be some
> > > number
> > > > generated based on some algo and value will be primary key. Then
> expose
> > > > that number on ui . On server side get the value against that key.
> Even
> > > if
> > > > user manipulate the number corresponding value wont be found and
> throw
> > an
> > > > error. Something like this.
> > > >
> > > > There will be other ways also.
> > > >
> > > > My question is there something of similar kind available in struts 2
> > > where
> > > > you can annotate the any field with primary key and it does the step
> 2
> > > for
> > > > you or any other implementation to abstract primary key. Any ideas?
> > > >
> > >
> > >
> > >
> > > --
> > > Cheers,
> > > Paul
> > >
> >
>
--
Cheers,
Paul
Re: Concealing primary key in web application with struts 2 from
security perspective?
Posted by Dave Newton <da...@gmail.com>.
I don't see how it could, since there are an essentially unlimited number
of back ends, authorization mechanisms, etc that would need to be accounted
for. Struts 2 is agnostic when it comes to basically everything but the web
layer.
On Nov 30, 2013 3:40 AM, "Mohit Gupta" <mo...@gmail.com> wrote:
> I agree its not a struts 2 issue. My intention of question is just to ask
> does struts 2 provide any kind of implementation off the shelf (some kind
> of interceptor or any other approach)to address this. Thanks in advance
>
>
> On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <pbenedict@apache.org
> >wrote:
>
> > Exposing the primary key is not a security issue; you always have to key
> > off something. What you need is business logic that ensures that a user
> may
> > only access what he may. That's not a Struts issue; it's logic that you
> > need to add in your business services.
> >
> >
> > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <mo...@gmail.com>
> wrote:
> >
> > > When you have internet facing application , its important not to expose
> > > direct object reference on UI to protect security vulnerability(where
> > user
> > > can retrieve the unauthorized data by merely changing the primary key).
> > > When you are righting the application from scratch there are various
> ways
> > > you can handle it like :-
> > >
> > > 1)Handling at data layer where query has user id in where class. user
> id
> > > should be picked from session
> > >
> > > 2)Maintaining the map reference map at server side . Key can be some
> > number
> > > generated based on some algo and value will be primary key. Then expose
> > > that number on ui . On server side get the value against that key. Even
> > if
> > > user manipulate the number corresponding value wont be found and throw
> an
> > > error. Something like this.
> > >
> > > There will be other ways also.
> > >
> > > My question is there something of similar kind available in struts 2
> > where
> > > you can annotate the any field with primary key and it does the step 2
> > for
> > > you or any other implementation to abstract primary key. Any ideas?
> > >
> >
> >
> >
> > --
> > Cheers,
> > Paul
> >
>
Re: Concealing primary key in web application with struts 2 from
security perspective?
Posted by Mohit Gupta <mo...@gmail.com>.
I agree its not a struts 2 issue. My intention of question is just to ask
does struts 2 provide any kind of implementation off the shelf (some kind
of interceptor or any other approach)to address this. Thanks in advance
On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <pb...@apache.org>wrote:
> Exposing the primary key is not a security issue; you always have to key
> off something. What you need is business logic that ensures that a user may
> only access what he may. That's not a Struts issue; it's logic that you
> need to add in your business services.
>
>
> On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <mo...@gmail.com> wrote:
>
> > When you have internet facing application , its important not to expose
> > direct object reference on UI to protect security vulnerability(where
> user
> > can retrieve the unauthorized data by merely changing the primary key).
> > When you are righting the application from scratch there are various ways
> > you can handle it like :-
> >
> > 1)Handling at data layer where query has user id in where class. user id
> > should be picked from session
> >
> > 2)Maintaining the map reference map at server side . Key can be some
> number
> > generated based on some algo and value will be primary key. Then expose
> > that number on ui . On server side get the value against that key. Even
> if
> > user manipulate the number corresponding value wont be found and throw an
> > error. Something like this.
> >
> > There will be other ways also.
> >
> > My question is there something of similar kind available in struts 2
> where
> > you can annotate the any field with primary key and it does the step 2
> for
> > you or any other implementation to abstract primary key. Any ideas?
> >
>
>
>
> --
> Cheers,
> Paul
>
Re: Concealing primary key in web application with struts 2 from
security perspective?
Posted by Paul Benedict <pb...@apache.org>.
Exposing the primary key is not a security issue; you always have to key
off something. What you need is business logic that ensures that a user may
only access what he may. That's not a Struts issue; it's logic that you
need to add in your business services.
On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <mo...@gmail.com> wrote:
> When you have internet facing application , its important not to expose
> direct object reference on UI to protect security vulnerability(where user
> can retrieve the unauthorized data by merely changing the primary key).
> When you are righting the application from scratch there are various ways
> you can handle it like :-
>
> 1)Handling at data layer where query has user id in where class. user id
> should be picked from session
>
> 2)Maintaining the map reference map at server side . Key can be some number
> generated based on some algo and value will be primary key. Then expose
> that number on ui . On server side get the value against that key. Even if
> user manipulate the number corresponding value wont be found and throw an
> error. Something like this.
>
> There will be other ways also.
>
> My question is there something of similar kind available in struts 2 where
> you can annotate the any field with primary key and it does the step 2 for
> you or any other implementation to abstract primary key. Any ideas?
>
--
Cheers,
Paul