how to hide the struts2 action name being displayed in the URL
manjesh ipp
Greenhorn
Joined: Jan 01, 2011
Posts: 7
posted
0
Hi,
I am using struts2 for an application,
I have some methods in action class like getContactDetails(), updateContactDetails() with getcontact.action and updatecontact.action.
when the request is made those action names are shown in the URL.
is there any way to hide this action name is being displayed in the URL?
The reason is simple that I donot want someone to guess the action name and try to manipulate it though I have taken care of CSRF and XSS prevention.
alternatively I can code action name something like ...ABCDG00 but it will damage the programming conventions.
-Manjesh
Jimmy Clark
Ranch Hand
Joined: Apr 16, 2008
Posts: 2187
posted
0
when the request is made those action names are shown in the URL.
Your issue is coming from the way "you" have designed the navigation.
Your Action objects should forward processing to JSP files.
The Action object is the Controller. The JSP file is the View. The URL displayed in brower should only show JSP file-names.
manjesh ipp
Greenhorn
Joined: Jan 01, 2011
Posts: 7
posted
0
Jimmy,
what do you meant by "Action objects should forward processing to JSP files" ?
When updateContactDetails() returns SUCCESS, contact.jsp will be displayed and I do see the 'updateContact' in the URL at this point of time..
do you meant I should use something like ResultType "Chain" I donot find anything similar to RequestDispatcher.forward(req,res) .
though I have taken care of CSRF and XSS prevention.
So what are you protecting the application from to think about disguising URL.. Id on not see any reason as you already stated...
damage the programming conventions
Identification of threat is the first and must activity that should be done, unnecessary implementations would result in maintenance issues/burden and performance issues but nothing else...
Have Fun with Java
little,little.. little by little makes a lot..
0
