I'm using Struts 2, my problem is that I don't want to update all my object properties because I got some sensitive data.
Here is my code example
public class person {
private name;
private email;
private password;
}
In my form for example I display the name and email for update ,so when I update my person properties after submission ,the password property of the person gets the value null,but when I put the property password in the <s:hidden>
tag in the form the update works fine.
How to make Struts 2 remember the value of the password without using the hidden tag in the form ?
If you need to store informations that
- must be persistent across the requests;
- must not be shown in the page;
then you have to use the Session, by implementing SessionAware
:
That said, I'm not sure you should store the user password, nor associate passwords to users;
You should make a login page in your web application, handling the password in that Action only, validating it against the database (or whatever), and storing some authentication id in the Session, not the password itself (you won't validate the user again, unless the session expires, then the user will be redirected to login page... no need to keep the password in memory).
That said too, the best practices for user authentication discourage to validate entered passwords against stored passwords on database;
you should use some one-way hashing algorithm (adding a salt to prevent Rainbow Table
s attacks) to hash a password, and checking it against the hashed password on the database. This way, not even the database administrator could know the passwords of the users, and in case of a forgotten password, it will be resetted, not retrieved.
In Java one of the best implementations out there is jBCrypt, based on BCrypt.
Hope that helps...
EDIT
As a way to conceptually separate the objects you handle in your Web Application, you can use two different beans: a "Full Bean" for reading, with all the properties, and a "Subset Bean" for writing, containing only the properties that could change.
For example, ID and Password should not change... you could read from Database the "Full", and write to the JSP and then to database the "Subset" (except that in user registration, where you will write the full)...
To make it more understandable, the Full Bean is the Dao
Object mapping exactly the database fields, while the Subset Bean is a Presentation
Object, that you will create by copying only the desired attributes from the Dao Object... they're both DTOs, but with two different levels of semantic.
Otherwise just put in session your bean, it is one row of code, and you will be ok.
You can check "null"(or a unique value) value at server-side (If it is null, it means : There is no change.) .
or you can use this class for update request
Public class person
{
protected name;
protected email;
}
Public class personNew: person // inherit from person
{
private password;
}
I dont use "Struts 2", but in my Web-app(APS.NET C#). I go on this way