aspose file tools*
The moose likes Servlets and the fly likes How to encrypt and Decrypt form parameters? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to encrypt and Decrypt form parameters?" Watch "How to encrypt and Decrypt form parameters?" New topic
Author

How to encrypt and Decrypt form parameters?

asif abdul aziz
Greenhorn

Joined: Aug 28, 2008
Posts: 6
Hi all,
I would like to know how to encrypt and decrypt form post paramters?

Here is my code
try{
out.println("<html><body><form name=test method=post action='second.jsp'>");
NumberFormat formatter = new DecimalFormat("#0.000");
int val1=req.getParameter("esal");
out.println("<input type=hidden name='param1' value='" + formatter.format(Float.parseFloat(val1) + "'>");
}catch (Exception e){
System.out.print("error");
}
out.println("</form></body></html>");
out.println("<script language='javascript'>document.test.submit();</script>");
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42282
    
  64
Welcome to JavaRanch.

The standard API for doing encryption is called JCE. Here's an example of how to use it with the DES cipher (which is obsolete - you should use "TripleDES" instead, but the code is the same).
Keep in mind that encrypted data is binary, so you can't add it to a page directly; you'll need to convert it to a string, using something like base-64 encoding.

Having said that, if the data that's to be kept secret exists on the server, why send it to the client in the first place? Why not put it in a session, and save yourself from the encryption overhead?


Ping & DNS - my free Android networking tools app
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

I wouldn't, it would be far easier and safer to use HTTPS for the data transfer, and make sure the form uses POST rather than GET.
asif abdul aziz
Greenhorn

Joined: Aug 28, 2008
Posts: 6
hi,
I am using https and using post method only.But there are some tools like (https://addons.mozilla.org/en-US/firefox/addon/966) which
Uses to tamperdata to view and modify HTTP/HTTPS headers and post parameters... .

I am trying to avoid that.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42282
    
  64
Sure, the client can submit anything he wants - HTTPS only protects the data in transit. But if the point is to prevent the client from seeing the data, then HTTPS does not help, and real encryption -or not round-tripping the data in the first place- is in order. Maybe you can clarify what exactly you're trying to accomplish.
[ August 28, 2008: Message edited by: Ulf Dittmer ]
asif abdul aziz
Greenhorn

Joined: Aug 28, 2008
Posts: 6
hi,
I want to avoid client to change the data submit using the tamper data tool.How to avoid that.?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42282
    
  64
By using encryption, or not round-tripping the data in the first place.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

The client will always be able to use the tool to alter the form data, I think you need to focus on whether you accept these changes.

One way, as Ulf mentions, is to encrypt the data on the server before sending to the client. If the client alters the dtaa it will no longer decrypt. Again as Ulf says, better not to send it to the client at all in this case.

Another possibility is to attach an MD5 fingerprint. We do this with online forms that contain a destination email address. This way we can store the address and fingerprint in the form, and the email address cannot be altered (note that a salt value is used in the MD5 to prevent the client substituting their own MD5)

Is any of this comeing close to the mark, or do you need to provide more details?
asif abdul aziz
Greenhorn

Joined: Aug 28, 2008
Posts: 6
hi,
"Again as Ulf says, better not to send it to the client at all in this case".

how can i do that ?
asif abdul aziz
Greenhorn

Joined: Aug 28, 2008
Posts: 6
hi ,
"Another possibility is to attach an MD5 fingerprint".

What is this MD5 fingerprint.?
Any tutorial or sampe code will help me a lot.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42282
    
  64
You can store it somewhere on the server, along with an identifier of the user to which it belongs. HTTP sessions are one way to achieve this, and probably the easiest since it doesn't require much code to implement.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Another option is to store the data on the server attached to a token, then send the token to the client. This is similar to placing data on the session except you can reuse the token (multiple clients behaving in the same way), and the token has nothing to do with the actual data - as long as you ensure that altering the token doesn't jeapordise the security of the application!

The main difference between this and the session is that the data only exists in the request scope and won't cause concurrency issues common in session data (eg two forms open at the same time)
asif abdul aziz
Greenhorn

Joined: Aug 28, 2008
Posts: 6
hi,
I tried using session variables.User or client cannot modify or cant do anything even using firefox tamper data tool.it works.thanks.

i have a doubt about session variable.here it is

lets say

http://abc.com i create session variable and forwarding to diffent domain http://xyz.com and this http://xyz.com do some validation and then forward to http://pqr.com domain

session variable can pass and get from different domains like in the above scenerio.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

the session will not be available in all domains unless they are all on the same server (or cluster) and single sign on is enadled, or some other form of data sharing is enabled between the domains.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to encrypt and Decrypt form parameters?