On 3/9/07, wnqq <[EMAIL PROTECTED]> wrote:
In the Struts2 tutorial page: http://appfuse.org/display/APF/Using+Struts+2 It shows how to use Struts2 to write CRUD for the entity "Person". Because it use the id (the PK of Person) that is shown on the web page to identity which record of person to use, it apparently causes a serious security issue.
Why? I've been developing webapps this way for several years w/o any issues.
I made a few changes to remove the id from the jsp pages and instead store it in the HttpSession. What I changes include: - PersonAction/Test, - web-tests.xml, - personList.jsp, etc.
Doesn't sound very scalable to me. I think you're a bit too paranoid. ;-) Matt
If, in the future, you would like to update the tutorial as not showing id on the web, please let me know and it will be my pleasure to upload my code for your references. -- View this message in context: http://www.nabble.com/hide-id-of-person-from-the-web-pages-tf3376792s2369.html#a9398113 Sent from the AppFuse - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- http://raibledesigns.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
