Concealing primary key in web application with struts 2 from security perspective?

Question

When you have internet facing application , its important not to expose direct object reference on UI to protect security vulnerability(where user can retrieve the unauthorized data by merely changing the primary key). When you are righting the application from scratch there are various ways you can handle it like :-

1) Handling at data layer where query has user id in where class. user id should be picked from session

2) Maintaining the map reference map at server side . Key can be some number generated based on some algo and value will be primary key. Then expose that number on ui . On server side get the value against that key. Even if user manipulate the number corresponding value wont be found and throw an
error. Something like this.

There will be other ways also.

My question is there something of similar kind available in struts 2 where you can annotate the any field with primary key and it does the step 2 for you or any other implementation to abstract primary key. Any ideas?

Answer 1

Exposing the primary key is not a security issue; you always have to key off something. What you need is business logic that ensures that a user may only access what he may. That's not a Struts issue; it's logic that you need to add in your business services.

Comments

I agree its not a struts 2 issue. My intention of question is just to ask does struts 2 provide any kind of implementation off the shelf (some kind of interceptor or any other approach)to address this.

---

I don't see how it could, since there are an essentially unlimited number of back ends, authorization mechanisms, etc that would need to be accounted for. Struts 2 is agnostic when it comes to basically everything but the web layer.

---

Feel free to check out Spring Security. It works with any framework to authenticate or authorize resources; it just becomes your responsibility to configure it correctly.