• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

url encryption

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm using JSP together with struts and I need to set up a user with a link with sensitive information in the query string. So far I have not been able to find a way to encrypt the query string so the parameters are invisible encrypted to the user. I have tried this code with no success:

<%
String redirectURL = "http://someurl?name=param&id=3455";
response.sendRedirect(encodeRedirectUrl(redirectURL));
%>

I thought there may be a tag library or java library that would accomplish this task, but I've been unsuccessful so far. Any thoughts?

Thanks.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

Any URL encodings are just that - encodings, which are easily reversed. If you're really concerned about it, use encryption (e.g. using the JCE API, with help of the JCE taglib).

But what exactly do you mean by "sensitive"? What kinds of attacks do you expect? Or is it that the user should not see the ID?
[ December 20, 2006: Message edited by: Ulf Dittmer ]
 
Mike Ash
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm using this in conjunction with Oracle Reports. The link that the user will be clicking on could potentially have information about their account and such. Basically, one of the requirements on the project is that the url be either encrypted or not visible...
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Why would a user not be allowed to see information (or even just IDs) for their own account?

A non-visible URL (or hidden parameter) provides no security at all.
[ December 20, 2006: Message edited by: Ulf Dittmer ]
 
Mike Ash
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Oracle Reports lives on a completely separate server and there is authentication information for that particular server that no user should ever see.
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Then you will need to use encryption which, as pointed out, is not the same as encoding.

We don't have a specific forum dedicated to encryption, so I've moved this to the intermediate Java forum.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Also note that you do not encrypt the entire URL, just the request parameters.
 
Mike Ash
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm familiar with the difference between encryption and encoding (I discovered the difference when trying to use encodeRedirectURL() ). I was curious about some sort of encryption for the string that would not allow users to make sense out of it. I must pass the server authentication in my query string and I don't want it to be visible to the user.
 
Mike Ash
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you only encrypt the request parameters, is there a way to do this?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Encrypting the parameters is not a problem, but you'd need to change the reporting server so that it recognizes the encrypted parameters. Whether that's possible depends entirely on the reporting server.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic