top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Concealing primary key in web application with struts 2 from security perspective?

+2 votes
538 views

When you have internet facing application , its important not to expose direct object reference on UI to protect security vulnerability(where user can retrieve the unauthorized data by merely changing the primary key). When you are righting the application from scratch there are various ways you can handle it like :-

1) Handling at data layer where query has user id in where class. user id should be picked from session

2) Maintaining the map reference map at server side . Key can be some number generated based on some algo and value will be primary key. Then expose that number on ui . On server side get the value against that key. Even if user manipulate the number corresponding value wont be found and throw an
error. Something like this.

There will be other ways also.

My question is there something of similar kind available in struts 2 where you can annotate the any field with primary key and it does the step 2 for you or any other implementation to abstract primary key. Any ideas?

posted Nov 30, 2013 by Ahmed Patel

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+2 votes

Exposing the primary key is not a security issue; you always have to key off something. What you need is business logic that ensures that a user may only access what he may. That's not a Struts issue; it's logic that you need to add in your business services.

answer Nov 30, 2013 by Deepak Dasgupta
I agree its not a struts 2 issue. My intention of question is just to ask does struts 2 provide any kind of implementation off the shelf (some kind of interceptor or any other approach)to address this.
I don't see how it could, since there are an essentially unlimited number of back ends, authorization mechanisms, etc that would need to be accounted for. Struts 2 is agnostic when it comes to basically everything but the web layer.
Feel free to check out Spring Security. It works with any framework to authenticate or authorize resources; it just becomes your responsibility to configure it correctly.
Similar Questions
+1 vote

Is it possible, and if so how, to run a local process (normally run from the command line), within a struts web application.

+1 vote

I need to integrate struts 2 with my classic web application based on servlet.

How do I tell struts 2 intercept only requests coming from specific folder like com.mysite.app.xx.yy where I will placing all struts related source files?

Here is the link what I started at stackoverflow,

http://stackoverflow.com/questions/30056132/integrating-classic-jsp-servlet-3-0-based-web-application-with-struts-2?noredirect=1#comment48258124_30056132

Please see if someone can throw some light on my issue.

+2 votes

I have a couple of old struts 2 apps that are using 2.2.1. I want to upgrade them to 2.3. What is the minimal set of jar files I need in WEB-INF/lib?

I currently have:
commons-beanutils-1.7.jar
commons-collections-2.1.jar
commons-digester-1.7.jar
commons-fileupload-1.2.1.jar
commons-io-1.4.jar
commons-javaflow-20060411.jar
commons-lang-2.5.jar
commons-logging-1.0.4.jar
freemarker-2.3.16.jar
ibatis-2.3.2.715.jar
itext-1.3.1.jar
jasperreports-2.0.5.jar
javamail.jar
javassist-3.8.0.GA.jar
jdt-compiler-3.1.1.jar
jstl.jar
jxl-2.6.jar
log4j-1.2.14.jar
ognl-3.0.jar
poi-3.0.1-FINAL-20070705.jar
spring.jar
standard.jar
struts2-core-2.2.1.jar
struts2-jasperreports-plugin-2.0.11.1.jar
urlrewrite-3.2.0.jar
xalan.jar
xercesImpl.jar
xwork-core-2.2.1.jar

+1 vote

We have an application wherein we want to keep separate database for each client. We want to achieve this using multi tenancy approach. A working example will be highly appreciated.

...