File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes how to bypass url parameters? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "how to bypass url parameters?" Watch "how to bypass url parameters?" New topic
Author

how to bypass url parameters?

Kameswari Jyosyula
Ranch Hand

Joined: Feb 20, 2001
Posts: 39
I am trying to give a link to a crystal report in my jsp file.The crystal report accesses a database.Hence in my url i am passing the username and password for the database.(different from the user loign)ex: http://myurl.com?user0=myuser&password0=mypwd
I don't want the user to see this.Is there any other way of passing this data(say put them in cfg file and call them in this url). like user0=mybean etc
If not is there any way of disabling the user from seeing the userid and password?(both when the user points the mouse on the link and when the view source is selected from the browser menu)
TIA
sanj singh
Ranch Hand

Joined: Jun 30, 2001
Posts: 129
try setting them as attributes of the session
DAYANAND BURAMSHETTY
Ranch Hand

Joined: Aug 06, 2001
Posts: 34
Hi,
I think U R using get method(<form method=get> )that'swhy
U see the userid and password.U'll use post method then
U can't see the userid and password.
<form method=post action="">
....
If I'm wrong ..correct me


Dil se....,<BR>Dayanand<BR>0065-8839071(off)<BR>0065-7547034(Res0
Randall Twede
Ranch Hand

Joined: Oct 21, 2000
Posts: 4340
    
    2

i agree the problem is you are doing a "get" rather than a "post"
get passes parameters in the url post passes them in the body of the request


SCJP
Visit my download page
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16012
    
  19

I VERY STRONGLY urge you NOT to pass user IDs and passwords to the client system. There are any number of simple tools out there (including the "view source" browser option) that can be used to find out what they are and cause mischief. You're better off keeping these items as session variables so that they never leave the server.


Customer surveys are for companies who didn't pay proper attention to begin with.
Madhav Lakkapragada
Ranch Hand

Joined: Jun 03, 2000
Posts: 5040

Tim:
I agree with you 100 %. Also, if you have observed something here...
my url i am passing the username and password for the database
I maybe guessing, but once these are known, I think it would also be possible to write a JDBC program to access the DB.
Am I right?
(Technically speaking, not that I would attempt it.... )
- satya

Take a Minute, Donate an Hour, Change a Life
http://www.ashanet.org/workanhour/2006/?r=Javaranch_ML&a=81
Kameswari Jyosyula
Ranch Hand

Joined: Feb 20, 2001
Posts: 39
right guys,
i share ur concern regd the client being able to access the db.So what we did is a sort of workaround - we created a db with guest as user and pwd and and gve that user very limited privileges and also the new db has nothing sensitive.thus avoided the userid and pwd of the db itself.ofcourse we are using the post method
thanks
Madhav Lakkapragada
Ranch Hand

Joined: Jun 03, 2000
Posts: 5040
ofcourse we are using the post method
FYI...
still there is a possibility of looking up
the uname and passwd if you are sending it
to the client say view source. Even
Hidden fields can be seen.
regds.
- satya
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16012
    
  19

"I maybe guessing, but once these are known, I think it would also be possible to write a JDBC program to access the DB.
Am I right?"
Once you know the username and password, you can do anything you want in any language you want! Sure jdbc applets get constrained by the Java sandbox, firewalls may intervene, the userID might have read-only privileges, but these are just details.
Actually, if the userID and password were really a special limited account just for the web browser, I'd just hard-code them into the JSP/Servlet and never send them out or store them at all! Why bother if the actual user's ID is immaterial?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how to bypass url parameters?