You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Mohit Gupta <mo...@gmail.com> on 2013/12/01 07:01:57 UTC
Re: Concealing primary key in web application with struts 2 from
security perspective?
Thanks Ahmed. As you told its available in jsf,shiro .what about struts?
On Sun, Dec 1, 2013 at 2:13 AM, Ahmed Khan <ah...@gmail.com> wrote:
> Try other frameworks like Apache Shiro. Also JSF has a builtin feature
> where fields marked as disabled or read only are not transferred to and fom
> the client.
>
>
>
>
> On Sat, Nov 30, 2013 at 9:43 PM, Dave Newton <da...@gmail.com>
> wrote:
>
> > No, I think everyone understood. Struts is authorization-agnostic.
> > On Nov 30, 2013 2:17 PM, "Mohit Gupta" <mo...@gmail.com> wrote:
> >
> > > Guys looks like i was not clear in my question earlier. My requirement
> is
> > > something like this
> > >
> > > i make a call to struts 2 action which forwards the request to
> > customer.jsp
> > > which populates the fields from CustomerInfo.java (data object). Say
> > > CustomerInfo has a field customerId .Assume its value was 100 when
> > response
> > > was sent to user on UI. But some hacker/user changes the value to 300
> to
> > > see some unauthorize data.
> > >
> > > What i am trying to ask here does struts 2 provide any inbuilt
> > interceptor
> > > so that it can track those secure fields(assume i have
> > > annotated customerId with some annotation say @secureId) modification
> > and
> > > throw error in case it is modified.
> > >
> > >
> > > On Sat, Nov 30, 2013 at 10:41 PM, Paul Benedict <pbenedict@apache.org
> > > >wrote:
> > >
> > > > Mohit, feel free to check out Spring Security. It works with any
> > > framework
> > > > to authenticate or authorize resources; it just becomes your
> > > responsibility
> > > > to configure it correctly.
> > > >
> > > >
> > > > On Sat, Nov 30, 2013 at 9:36 AM, Dave Newton <da...@gmail.com>
> > > > wrote:
> > > >
> > > > > I don't see how it could, since there are an essentially unlimited
> > > number
> > > > > of back ends, authorization mechanisms, etc that would need to be
> > > > accounted
> > > > > for. Struts 2 is agnostic when it comes to basically everything but
> > the
> > > > web
> > > > > layer.
> > > > > On Nov 30, 2013 3:40 AM, "Mohit Gupta" <mo...@gmail.com>
> wrote:
> > > > >
> > > > > > I agree its not a struts 2 issue. My intention of question is
> just
> > to
> > > > ask
> > > > > > does struts 2 provide any kind of implementation off the shelf
> > (some
> > > > kind
> > > > > > of interceptor or any other approach)to address this. Thanks in
> > > advance
> > > > > >
> > > > > >
> > > > > > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <
> > > pbenedict@apache.org
> > > > > > >wrote:
> > > > > >
> > > > > > > Exposing the primary key is not a security issue; you always
> have
> > > to
> > > > > key
> > > > > > > off something. What you need is business logic that ensures
> that
> > a
> > > > user
> > > > > > may
> > > > > > > only access what he may. That's not a Struts issue; it's logic
> > that
> > > > you
> > > > > > > need to add in your business services.
> > > > > > >
> > > > > > >
> > > > > > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <
> > motgupta@gmail.com>
> > > > > > wrote:
> > > > > > >
> > > > > > > > When you have internet facing application , its important not
> > to
> > > > > expose
> > > > > > > > direct object reference on UI to protect security
> > > > vulnerability(where
> > > > > > > user
> > > > > > > > can retrieve the unauthorized data by merely changing the
> > primary
> > > > > key).
> > > > > > > > When you are righting the application from scratch there are
> > > > various
> > > > > > ways
> > > > > > > > you can handle it like :-
> > > > > > > >
> > > > > > > > 1)Handling at data layer where query has user id in where
> > class.
> > > > user
> > > > > > id
> > > > > > > > should be picked from session
> > > > > > > >
> > > > > > > > 2)Maintaining the map reference map at server side . Key can
> be
> > > > some
> > > > > > > number
> > > > > > > > generated based on some algo and value will be primary key.
> > Then
> > > > > expose
> > > > > > > > that number on ui . On server side get the value against that
> > > key.
> > > > > Even
> > > > > > > if
> > > > > > > > user manipulate the number corresponding value wont be found
> > and
> > > > > throw
> > > > > > an
> > > > > > > > error. Something like this.
> > > > > > > >
> > > > > > > > There will be other ways also.
> > > > > > > >
> > > > > > > > My question is there something of similar kind available in
> > > struts
> > > > 2
> > > > > > > where
> > > > > > > > you can annotate the any field with primary key and it does
> the
> > > > step
> > > > > 2
> > > > > > > for
> > > > > > > > you or any other implementation to abstract primary key. Any
> > > > ideas?
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Cheers,
> > > > > > > Paul
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Cheers,
> > > > Paul
> > > >
> > >
> >
>
>
>
> --
> ------------------------------------
> http://www.operationbadar.net
>