You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Stephane Cosmeur <co...@gmail.com> on 2010/06/03 05:22:00 UTC
Encrypting parameters
Hello,
I would like to improve the security of my web application. My problem is I
would like to encrypt the visible parameters in the URL to prevent user to
change it to access data he should not see.
At start i thought the simple attribute encode of s:url will work for what i
need, but it's not the case. Then i don't believe a such useful feature is
implemented in struts 2.
So what is the best solution to perform it ?
I was thinking to an interceptor which unencrypt each request for each
action and a java function which encry the url in each jsp, but i'm not sure
it's the good way to do it.
Any help would be appreciated !
Regards
--
Stéphane Cosmeur
Re: Encrypting parameters
Posted by Dale Newfield <da...@newfield.org>.
On 6/2/10 11:22 PM, Stephane Cosmeur wrote:
> I would like to improve the security of my web application. My problem is I
> would like to encrypt the visible parameters in the URL to prevent user to
> change it to access data he should not see.
No amount of obfuscation can prevent someone from eventually guessing
other valid parameters, or getting urls from other sources, etc. If you
want the data to be secure, obfuscation won't do it. When those actions
are doing the lookups, they should take the current user into account,
only allowing appropriate users to access any given model object.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Encrypting parameters
Posted by Rahul Mohan <ra...@tcs.com>.
Hi,
I don't think its a good idea to expose the URLs to the users in a secure
application. Avoid GET requests and stick to POST. Also, sticking to
request forwarding instead of redirects will keep the URL fixed on the
browser's address bar. You might have some issues with back button because
of this, but in most business applications this is OK since going back one
step in some process is anyways not allowed. Combined with HTTPS this will
give you good enough protection against eavesdropping. But, to protect
data access, you would still need to enforce some access control on the
data based on the user credentials.
cheers,
Rahul Mohan
From:
Stephane Cosmeur <co...@gmail.com>
To:
Struts Users Mailing List <us...@struts.apache.org>
Date:
03-06-2010 08:53
Subject:
Encrypting parameters
Hello,
I would like to improve the security of my web application. My problem is
I
would like to encrypt the visible parameters in the URL to prevent user to
change it to access data he should not see.
At start i thought the simple attribute encode of s:url will work for what
i
need, but it's not the case. Then i don't believe a such useful feature is
implemented in struts 2.
So what is the best solution to perform it ?
I was thinking to an interceptor which unencrypt each request for each
action and a java function which encry the url in each jsp, but i'm not
sure
it's the good way to do it.
Any help would be appreciated !
Regards
--
Stéphane Cosmeur
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you