Intresting. So perhaps instead of encoding the primary key of a Hibernate entity directly, you'd instead maintain a lookup combining user id and object id, mapped to a random string. The random string would have to be in some kind of fast lookup table stored persistently (perhaps in the DB for sharing across the cluster, if any).
Anyway, that's the kind of idea that popped into my head ... what's your solution looking like? On Tue, Feb 2, 2010 at 10:42 AM, cordenier christophe <christophe.corden...@gmail.com> wrote: > An old link > http://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference > but > principle is there. > > 2010/2/2 cordenier christophe <christophe.corden...@gmail.com> > >> OWASP A4 is : Avoid Insecure Direct Object References (in URL in my case) >> >> Suggested implementation is to indirect all direct reference to entity ids >> for exemple. >> >> BTW The solution provided by Howard works like a charm, i will add it to my >> guideline. >> >> Thanks again, >> Christophe. >> >> 2010/2/2 Thiago H. de Paula Figueiredo <thiag...@gmail.com> >> >> On Tue, 02 Feb 2010 16:08:41 -0200, cordenier christophe < >>> christophe.corden...@gmail.com> wrote: >>> >>> Actually i am trying to decorate ComponentEventLinkEncoder to implement a >>>> solution for OWASP A4 recommandation. >>>> >>> >>> Which recommendation? Just curious. :) >>> >>> -- >>> Thiago H. de Paula Figueiredo >>> Independent Java, Apache Tapestry 5 and Hibernate consultant, developer, >>> and instructor >>> Owner, software architect and developer, Ars Machina Tecnologia da >>> Informação Ltda. >>> http://www.arsmachina.com.br >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >>> >> > -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
