Hiding/encrypting URL parameters in Struts application

[Sid <si...@gmail.com>]

Hi
Is there a way to hide/encrypt URL parameters using Struts? Right now i am
passing some critical params in the URL
For e.g http://localhost:8080/method=xyz?param1=123&param2=xyz

I want to avoid this. Please let me know if anything can be done about this.


Thanks
Sid

Re: Hiding/encrypting URL parameters in Struts application

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sid,

Sid wrote:
> Is there a way to hide/encrypt URL parameters using Struts?

Struts does not handle this directly. You'll have to do it yourself or
use an existing tool to protect these parameters.

When I do this type of thing, I symmetrically encrypt the data and then
pass the encrypted string as a GET parameter. In order to reduce the
threat of replay attacks, I encrypt the expiration date and time of the
data along with it and refuse to accept it on the other end if it has
expired.

There's a project out there called HDIV that is supposed to protect data
like this. I don't know a thing about it except that someone posts
updates to the project on this list occasionally. (http://www.hdiv.org)

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGRcXF9CaO5/Lv0PARAqRZAJ9uIj6yyZ7Y5+WJIhpwXdPYQ5HXvACgsImg
XJMCHxSKee/rTQCJNOIL2L8=
=Umki
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org