Securing URL Parameters

[Dennis Sinelnikov <de...@augustschell.com>]

Dear Fellow Tapestriers :),

I need to implement an EngineService that will return a specific file 
living on a filesystem.  I need to pass a parameter in the url that 
specifies which file to return.  I've searched the tapestry list serve 
archives for an elegant solution, but nothing really caught my eye.  My 
initial thought was to do a one-way hash of the file and pass it via the 
parameter in the url; when the url comes back the service would 
"replicate" the process by comparing the hashes of all the files and see 
which one matches; the one matches return to the user.

I'm curious to see what others are doing in securing urls from malicious 
users.  Sample code or any suggestions are greatly appreciated.

Thanks,
Dennis


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: Securing URL Parameters

[Sam Gendler <sg...@ideasculptor.com>]

I don't usually send the filename hashed.  I merely include a hash of
the parameter that was created with a secret seed.  At the other end,
I can determine if the payload was messed with by seeing if the
parameters match the hash of the params.  This makes life a lot easier
to debug, is pretty secure (although someone who guesses your seed can
make you do anything they want), and makes it easier on the server
end, since you don't have to maintain a map of hash values to file
paths.  Any request that fails the hash test just gets sent an error
page.

--sam


On 12/6/06, Dennis Sinelnikov <de...@augustschell.com> wrote:
> Dear Fellow Tapestriers :),
>
> I need to implement an EngineService that will return a specific file
> living on a filesystem.  I need to pass a parameter in the url that
> specifies which file to return.  I've searched the tapestry list serve
> archives for an elegant solution, but nothing really caught my eye.  My
> initial thought was to do a one-way hash of the file and pass it via the
> parameter in the url; when the url comes back the service would
> "replicate" the process by comparing the hashes of all the files and see
> which one matches; the one matches return to the user.
>
> I'm curious to see what others are doing in securing urls from malicious
> users.  Sample code or any suggestions are greatly appreciated.
>
> Thanks,
> Dennis
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: Securing URL Parameters

[Dennis Sinelnikov <de...@augustschell.com>]

Damian Krzeminski wrote:
> Dennis Sinelnikov wrote:
>> Dear Fellow Tapestriers :),
>>
>> I need to implement an EngineService that will return a specific file 
>> living on a filesystem.  I need to pass a parameter in the url that 
>> specifies which file to return.  I've searched the tapestry list serve 
>> archives for an elegant solution, but nothing really caught my eye.  
>> My initial thought was to do a one-way hash of the file and pass it 
>> via the parameter in the url; when the url comes back the service 
>> would "replicate" the process by comparing the hashes of all the files 
>> and see which one matches; the one matches return to the user.
>>
>> I'm curious to see what others are doing in securing urls from 
>> malicious users.  Sample code or any suggestions are greatly appreciated.
>>
>> Thanks,
>> Dennis
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
> 
> I was looking for elegant solution for that problem as well. I ended up 
> doing something similar to AssetService, which is I guess what you are 
> trying to do as well.
> 
> The code is here:
> http://scm.sipfoundry.org/rep/sipX/main/sipXconfig/web/src/org/sipfoundry/sipxconfig/components/DownloadService.java 
> 
> http://scm.sipfoundry.org/rep/sipX/main/sipXconfig/web/src/org/sipfoundry/sipxconfig/components/DownloadLink.java 
> 
> 
> It's in subversion repository - you can get entire project from here: 
> http://scm.sipfoundry.org/rep/sipX/main/sipXconfig
> 
> If anybody comes up with something better I'd like to know that.
> Damian
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 
> 
Thanks Sam and Damian.  I guess the answer was right in front of my nose 
the whole time. ;)

-Dennis


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: Securing URL Parameters

[Damian Krzeminski <da...@pingtel.com>]

Dennis Sinelnikov wrote:
> Dear Fellow Tapestriers :),
> 
> I need to implement an EngineService that will return a specific file 
> living on a filesystem.  I need to pass a parameter in the url that 
> specifies which file to return.  I've searched the tapestry list serve 
> archives for an elegant solution, but nothing really caught my eye.  My 
> initial thought was to do a one-way hash of the file and pass it via the 
> parameter in the url; when the url comes back the service would 
> "replicate" the process by comparing the hashes of all the files and see 
> which one matches; the one matches return to the user.
> 
> I'm curious to see what others are doing in securing urls from malicious 
> users.  Sample code or any suggestions are greatly appreciated.
> 
> Thanks,
> Dennis
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 
> 

I was looking for elegant solution for that problem as well. I ended up doing something similar to 
AssetService, which is I guess what you are trying to do as well.

The code is here:
http://scm.sipfoundry.org/rep/sipX/main/sipXconfig/web/src/org/sipfoundry/sipxconfig/components/DownloadService.java
http://scm.sipfoundry.org/rep/sipX/main/sipXconfig/web/src/org/sipfoundry/sipxconfig/components/DownloadLink.java

It's in subversion repository - you can get entire project from here: 
http://scm.sipfoundry.org/rep/sipX/main/sipXconfig

If anybody comes up with something better I'd like to know that.
Damian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org