aspose file tools*
The moose likes EJB and other Java EE Technologies and the fly likes Url hiding Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Url hiding" Watch "Url hiding" New topic
Author

Url hiding

annapoorna ch
Greenhorn

Joined: Jan 20, 2010
Posts: 4
I am developing a struts application ... in that for security purpose i am not supposed to show the appended parameters in the url ...

How can i hide those parameters

like http://localhost:8080/admin/updateUsr.do?dispmethd=showUpdate&userName=14504

but i have to show only

http://localhost:8080/admin/updateUsr.do

here i do not want to use post method.... can any one give me a suggestion please...
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42611
    
  65
Welcome to JavaRanch.

here i do not want to use post method

Why not?


Ping & DNS - my free Android networking tools app
Jeremiah Orr
Greenhorn

Joined: Jan 20, 2010
Posts: 6
If this decision is in your control (I know sometimes it isn't), then you might want to rethink whether having the parameters in the URL is truly a security concern. By viewing the HTML source (right-click > View Source in Explorer), anyone can see all the parameter names and values (that aren't user-input). Since the browser is sending this information to the server, there is no way around that, via POST or any other mechanism. It takes a tiny bit of extra work, but that is no deterrent to someone with a rudimentary understanding of web technology; anyone who doesn't have this understanding is probably not a security risk anyway.

I've had this argument many times, with mixed results, but I can tell you that having the parameters in the URL is no less secure than any other mechanism of submitting information to a web application. I'd recommend POST whenever you're submitting form data (particularly if passwords are part of it), but for page-to-page navigation, "parameterized URLs" are fine.
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30929
    
158

Jeremiah Orr wrote:If this decision is in your control (I know sometimes it isn't), then you might want to rethink whether having the parameters in the URL is truly a security concern.

There is one specific security concern - having the URLs in web access logs. This is only a problem if you are on HTTPS though as for HTTP anyone can see your URLs too.

Most of the time, this is not the concern people are trying to address. If you are trying to hide info from your user, moving info from the URL to the page doesn't help.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Url hiding