• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

how to hide the struts2 action name being displayed in the URL

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I am using struts2 for an application,
I have some methods in action class like getContactDetails(), updateContactDetails() with getcontact.action and updatecontact.action.
when the request is made those action names are shown in the URL.
is there any way to hide this action name is being displayed in the URL?

The reason is simple that I donot want someone to guess the action name and try to manipulate it though I have taken care of CSRF and XSS prevention.
alternatively I can code action name something like ...ABCDG00 but it will damage the programming conventions.



-Manjesh
 
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

when the request is made those action names are shown in the URL.



Your issue is coming from the way "you" have designed the navigation.

Your Action objects should forward processing to JSP files.

The Action object is the Controller. The JSP file is the View. The URL displayed in brower should only show JSP file-names.
 
manjesh ipp
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jimmy,

what do you meant by "Action objects should forward processing to JSP files" ?

When updateContactDetails() returns SUCCESS, contact.jsp will be displayed and I do see the 'updateContact' in the URL at this point of time..
do you meant I should use something like ResultType "Chain" I donot find anything similar to RequestDispatcher.forward(req,res) .

Thanks
Manjesh



 
Ranch Hand
Posts: 329
Eclipse IDE Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

though I have taken care of CSRF and XSS prevention.


So what are you protecting the application from to think about disguising URL.. Id on not see any reason as you already stated...

damage the programming conventions


Identification of threat is the first and must activity that should be done, unnecessary implementations would result in maintenance issues/burden and performance issues but nothing else...
 
reply
    Bookmark Topic Watch Topic
  • New Topic