How to protect my code from idor and clickjacking threat?

Question

I have my project in struts framework and my project is vulnerable to idor and clickjacking and i need to avoid exposing my private object references to users whenever possible, such as primary keys or filenames and Validate any private object references extensively with an "accept known good" approach and Verify authorization to all referenced objects, as i am new to web development, I am confused where to add which code? please help