wood burning stoves 2.0*
The moose likes Struts and the fly likes How to avoid sending authentication parameters in request url? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "How to avoid sending authentication parameters in request url?" Watch "How to avoid sending authentication parameters in request url?" New topic
Author

How to avoid sending authentication parameters in request url?

shiva kuppa
Greenhorn

Joined: Aug 15, 2006
Posts: 2
Hi,
I have <html:text property="username" and ><html:password property=password" and I do ><html:form action="logon.do" method="post"

I can submit the form like this

https://xyz/logon.do?username=devuser&password=devpwd

and i get values in actionclass from the actionform.

How to avoid treating url request parameters as form paramters in struts?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61437
    
  67

"shiva vkk", please check your private messages for an important administrative matter.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61437
    
  67

If your form is a post, the values should not appear on the URL.

However, sending them as a post doesn't make them any more secure than a get, just because they are not on the URL. They are still sent as plain text in the request body.

If you are concerned with security, you need to use SSL to encrypt the data during transmission.
shiva kuppa
Greenhorn

Joined: Aug 15, 2006
Posts: 2
Thank You for the information.
But is there any way to stop treating request parameters as form parameters when I forecully send parameters through request url.
I want to prevent/stop login successful when doing this
https://xyz/logon.do?username=devuser&password=devpwd
Is there any hack or a real solution for this?
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18675
    
    8

The real solution is what Bear just said. Don't go looking for hacks when real solutions exist.
 
 
subject: How to avoid sending authentication parameters in request url?