Is there anything already integrated in JSF 1.2 or SEAM 2.2.2 to prevent A4-Insecure Direct Object References
I know the ESAPI functions to do it, but i don't want to include another framework into my project if not necessary, is there anything build into JSF or SEAM?
You have several alternatives:
- Verify access to the secured resource in your SQL statements
- The indirect object hash map is a terrifically simple construct that is literally 10 lines of code. Just re-implement, and be careful of your source of randomness
- Change your taglibraries to do what ASP.net does, which is to
validate checkboxes, radio groups, selects etc that have constrained
input, have the same value as one of the potential inputs that was
sent out (i.e. if you have "1", "2", and "3", that the parameter is
one of those three values. JSF 2 and Rich Faces still don't bring you up to ASP.NET 2.0 levels of basic software engineering.
- Using s:validateForm from Faces integration to perform programmatic inspection.
Honestly, I think (2) is the best alternative as I know bringing in ESAPI for J2EE requires stubbing out quiet a bit for a few lines of code. Why it needs a custom filebaseauthenticator to do DOR mapping is beyond me. I aimed for looser coupling in ESAPI for PHP, but it's been a while for me hacking on ESAPI for J2EE.