[OWASP-ESAPI] Real-world usage of AccessReferenceMap
Jeff Williams
jeff.williams at owasp.org
Sun Feb 15 00:02:12 EST 2009
Hi John,
I think you've got the idea. You'll want to keep the ARM around so that you
can get the real object using the indirect reference. The flow I use is
to...
- get a list of authorized objects put together
- create an ARM with that list
- store the ARM in session
- render the UI using indirect references from the ARM
Then when the request comes back in
- lookup the indirect reference in the ARM to get the authorized object
- use the object as normal
- possibly update the ARM as needed
- continue
--Jeff
-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of John Melton
Sent: Friday, February 13, 2009 2:10 PM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] Real-world usage of AccessReferenceMap
Hi,
I am attempting to use the AccessReferenceMap object. Perusing the
code from the swingset app, I see a usage of the
RandomAccessReferenceMap object, and understand the concept and how it
works. What I'm wondering is how that might look in practice. I'm
just looking for something beyond a toy example.
For many, including myself, I'd imagine the way this object would be
used would be to render a collection of objects in a table on a web
page, each with a link to a "detail" page about that object, and the
detail page would be passed the indirect reference to an id or to the
actual object stored in the session likely as suggested by the
comments in the swingset code.
So to summarize, I was hoping someone could give me an example snippet
- or at least logical flow to do this set of steps. (just the parts
related to the use of AccessReferenceMap)
1. retrieve collection of business objects (say accounts) from data
store, and place those in scope for UI display
2. on the UI, display that collection in a table, each row having a
link to the account id (indirect reference of course)
3. retrieving the real account id from the AccessReferenceMap based on
the indirect reference (I can see how this is done from the example
code)
Thanks,
John
jtmelton at gmail.com
_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi
More information about the OWASP-ESAPI
mailing list