5

What other good solutions are there?

From the Area51 proposal

Anders
  • 64,406
  • 24
  • 178
  • 215
AviD
  • 72,138
  • 22
  • 136
  • 218

2 Answers2

4

Summarizing atdre's link: OWASP ESAPI conveniently provides a mapping from a set of indirect references to the direct references, so convenient that you can even use a different mapping upon each request to your service.

Alternatives include container-managed security, Apache Shiro, and Spring Security, all of which are discussed in a StackOverflow question.

Community
  • 1
minopret
  • 434
  • 3
  • 9
3

In the open-source OWASP ESAPI project, there is an example architecture with the correct controls in place to prevent IDORs. In that architecture is an Interface named AccessReferenceMap.

The AccessReferenceMap interface extends java.io.Serializable and is used to map a set of internal direct object references to a set of indirect references that are safe to disclose publicly. It can be used to help protect database keys, filenames, and other types of direct object references. As a rule, developers should not expose their direct object references, as this enables attackers to attempt to manipulate them.

https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/AccessReferenceMap.html

atdre
  • 18,885
  • 6
  • 58
  • 107