| Author |
How to avoid sending authentication parameters in request url?
|
shiva kuppa
Greenhorn
Joined: Aug 15, 2006
Posts: 2
|
|
Hi,
I have <html:text property="username" and ><html:password property=password" and I do ><html:form action="logon.do" method="post"
I can submit the form like this
https://xyz/logon.do?username=devuser&password=devpwd
and i get values in actionclass from the actionform.
How to avoid treating url request parameters as form paramters in struts?
|
 |
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56158
|
|
|
"shiva vkk", please check your private messages for an important administrative matter.
|
[Smart Questions] [JSP FAQ] [Books by Bear] [Bear's FrontMan] [About Bear]
|
|
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56158
|
|
If your form is a post, the values should not appear on the URL.
However, sending them as a post doesn't make them any more secure than a get, just because they are not on the URL. They are still sent as plain text in the request body.
If you are concerned with security, you need to use SSL to encrypt the data during transmission.
|
|
shiva kuppa
Greenhorn
Joined: Aug 15, 2006
Posts: 2
|
|
Thank You for the information.
But is there any way to stop treating request parameters as form parameters when I forecully send parameters through request url.
I want to prevent/stop login successful when doing this
https://xyz/logon.do?username=devuser&password=devpwd
Is there any hack or a real solution for this?
|
|
Paul Clapham
Bartender
Joined: Oct 14, 2005
Posts: 16482
|
|
|
The real solution is what Bear just said. Don't go looking for hacks when real solutions exist.
|
|
 |
I agree. Here's the link: jrebel
|
|
subject: How to avoid sending authentication parameters in request url?
|
|
|
0
