Announcement Announcement Module
Collapse
No announcement yet.
URL encoding issue Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • URL encoding issue

    Hi All,
    I am usong Spring 1.2 version and whenever i use redirectView object for redirecting the request object is displayed in URL.
    Please help.

  • #2
    can you put out some code and eventually your request witch displayed in URL, this will help us

    Comment


    • #3
      Re:-

      Hi,
      below is the URL http://localHost:8090/myApplication/...010&empNo=9012

      So in the controller I am jut forwarding the it to timesheet.htm as follows

      public ModelandView showForm(reqquest,response,error,commandObject){

      model.put("month",1);
      model.put("year",2010);
      model.put("empNo",9012);

      ModelAndview mvc = new ModelAndView(new RedirectView("timesheet.htm"));
      mvc.addObject("EMP_DETAIL",model)
      }

      so in the address bar the below URL is displayed http://localHost:8090/myApplication/...010&empNo=9012

      because of which any one can modify the empNo and view the record of another user . So need to prevent the display of the parameter while redirecting to the htm.

      Thanks

      Comment


      • #4
        I think you should be able to use hashing mecanisme to hash the wonted parameter

        Comment


        • #5
          Exposing data in the URL is a very basic issue with web security and a very common problem. Are you actually using Spring Security? If you are then you should secure your service layer appropriately so that a user cannot access accounts they are not permitted to. Watch the Spring One 2010 presentation on the website which has a holiday booking application which is a very similar use case to a timesheet app.

          Hashing the parameter will not add any security. For a start you will not be able to work out the original value at the server, since hash algorithms are generally irreversible. And if you are just using a hash as an alternative to the numeric parameter, then it is of exactly the same value to an attacker as the numeric ID - it is an opaque key which can be used to specify the user.

          Comment


          • #6
            Re

            Hi,
            I have the made the finding after extractiing the classes from Spring web 1.2 version and Spring 2.5 version it was found that the class redirect has a method renderMergedOutputModel() .
            So if we are using the version 2.5 then we have a parameter in the Constructor exposemodelAttribute based on the condition if it is true then the method appendQueryProperties is called which is responsible for adding the model object in header.
            This is missing in Spring 1.2 and was added in Spring 2.0 version.
            So could please anyone help me in encoding the url using base64 encoding.

            the setencodingSchema does not support the base64 encoding.

            Thanks,

            Comment


            • #7
              Hello,

              I have said hashing parameter to hid the true value of parameter, but since it is impossible to hid the parameters values, I guest you should implement a security layer, the goal of this new 'module' is to deny any access on the data store without having the requirement rights.

              let you try to make this with Spring security or ACEJI

              best wishes

              Comment

              Working...
              X