Exposing the primary key is not a security issue; you always have to key off something. What you need is business logic that ensures that a user may only access what he may. That's not a Struts issue; it's logic that you need to add in your business services.
On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <motgu...@gmail.com> wrote: > When you have internet facing application , its important not to expose > direct object reference on UI to protect security vulnerability(where user > can retrieve the unauthorized data by merely changing the primary key). > When you are righting the application from scratch there are various ways > you can handle it like :- > > 1)Handling at data layer where query has user id in where class. user id > should be picked from session > > 2)Maintaining the map reference map at server side . Key can be some number > generated based on some algo and value will be primary key. Then expose > that number on ui . On server side get the value against that key. Even if > user manipulate the number corresponding value wont be found and throw an > error. Something like this. > > There will be other ways also. > > My question is there something of similar kind available in struts 2 where > you can annotate the any field with primary key and it does the step 2 for > you or any other implementation to abstract primary key. Any ideas? > -- Cheers, Paul
