更新对象属性 [英] Update object properties

问题描述

我正在使用Struts 2，我的问题是我不想更新所有对象属性，因为我得到了一些敏感数据。

I'm using Struts 2, my problem is that I don't want to update all my object properties because I got some sensitive data.

这是我的代码示例

public class person {
  private name;
  private email;
  private password;
}

在我的表单中，例如我显示名称和电子邮件以进行更新，所以当我在提交后更新我的人员属性，该人的密码属性获取值为null，但是当我将属性密码放在< s：hidden> 标记中时表单更新工作正常。

In my form for example I display the name and email for update ,so when I update my person properties after submission ,the password property of the person gets the value null,but when I put the property password in the <s:hidden> tag in the form the update works fine.

如何在不使用表单中的隐藏标记的情况下使Struts 2记住密码的值？

How to make Struts 2 remember the value of the password without using the hidden tag in the form ?

推荐答案

如果你需要存储信息

• 必须保持不变请求;


• 不得在页面中显示;

然后你必须使用会话，实施 SessionAware ：

那就是说，我不确定你应该存储用户密码，也不将密码与用户关联;

That said, I'm not sure you should store the user password, nor associate passwords to users;

您应该在Web应用程序中创建一个登录页面，仅在该Action中处理密码，针对数据库（或其他）验证密码，并在Session中存储一些身份验证ID，而不是密码本身（您不会验证用户）再次，除非会话过期，否则用户将被重定向到登录页面...无需将密码保存在内存中。

You should make a login page in your web application, handling the password in that Action only, validating it against the database (or whatever), and storing some authentication id in the Session, not the password itself (you won't validate the user again, unless the session expires, then the user will be redirected to login page... no need to keep the password in memory).

也就是说，用户身份验证的最佳做法不鼓励根据数据库中存储的密码验证输入的密码;

That said too, the best practices for user authentication discourage to validate entered passwords against stored passwords on database;

你应该使用一些单向哈希算法（添加盐以防止彩虹表 s攻击）对密码进行哈希处理，并根据数据库中的哈希密码进行检查。这样，即使数据库管理员也不知道用户的密码，并且在忘记密码的情况下，它将被重置，而不是被检索。

you should use some one-way hashing algorithm (adding a salt to prevent Rainbow Tables attacks) to hash a password, and checking it against the hashed password on the database. This way, not even the database administrator could know the passwords of the users, and in case of a forgotten password, it will be resetted, not retrieved.

在Java中 jBCrypt 的最佳实施基于 BCrypt 。

In Java one of the best implementations out there is jBCrypt, based on BCrypt.

希望有帮助......

Hope that helps...

编辑

作为概念上分离对象的一种方式在Web应用程序中处理，您可以使用两个不同的bean：一个用于读取的Full Bean，包含所有属性，以及一个用于写入的Subset Bean，仅包含可能更改的属性。

As a way to conceptually separate the objects you handle in your Web Application, you can use two different beans: a "Full Bean" for reading, with all the properties, and a "Subset Bean" for writing, containing only the properties that could change.

例如，ID和密码不应该改变...你可以从数据库中读取完整，然后写入JSP然后向数据库写入子集 （除非在用户注册中，你将在那里写完）...

For example, ID and Password should not change... you could read from Database the "Full", and write to the JSP and then to database the "Subset" (except that in user registration, where you will write the full)...

为了使它更容易理解，Full Bean是 Dao 对象映射完全是数据库字段，而子集Bean是 Presentation 对象，您将通过仅复制Dao对象中的所需属性来创建......它们都是DTO，但有两种不同的语义级别。

To make it more understandable, the Full Bean is the Dao Object mapping exactly the database fields, while the Subset Bean is a Presentation Object, that you will create by copying only the desired attributes from the Dao Object... they're both DTOs, but with two different levels of semantic.

否则只需将会话放入bean中，它就是一行代码，你会好的。

Otherwise just put in session your bean, it is one row of code, and you will be ok.

这篇关于更新对象属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！