This week's book giveaway is in the Jobs Discussion forum.
We're giving away four copies of Java Interview Guide and have Anthony DePalma on-line!
See this thread for details.
The moose likes Struts and the fly likes Encrypting the Query String! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Encrypting the Query String!" Watch "Encrypting the Query String!" New topic

Encrypting the Query String!

Anirban Chowdhury
Ranch Hand

Joined: Aug 05, 2008
Posts: 36
Hi All Ranchers,

Struts Version :
Objective : To encrypt the queryString passed as URL params.

Eg. https://localhost:8443/T/
should be changed to https://localhost:8443/T/
or likewise.

1: I am already using https to prevent sniffing from outside, but here I am worried about the insiders poking into
somebody else's domain by tampering the id_ parameter etc.

2. I cannot use POST in these cases. ( And anyway they can also be tracked from the headers)

Note the below 2 cases : 1st one is a redirect from a saveAction to prevent duplicate transaction on refresh

a> In my struts.xml I have the below setup

b> In my Menu.jsp, I have the following

Can anybody please help me in this regard? I have fiddled a lot with the options which Google provided me, like
modifying the s:url / s:param to encrypt the params.
I also fiddled with ParametersInterceptor.
I tried that as well and many other things,but still none of them
work satisfactorily. Can somebody please shed some light on how this can be done?
This is a bit critical so I would really really .. really (yeah, 1 more to "really" show how I feel at the moment :banghead
appreciate if anybody could help me in this regards.

Thanks a lot for your time in advance.

P.S: I am also trying to implement an authorization mechanism which will enable me to track is somebody is trying to access any data which does not belong to him.
This involves a database querying for the logged in user and seeing to which entities he is actually tagged to. This will probably always work, but it becomes a maintenance nightmare,as we have to keep updating the query for any new types added and not to mention the multilevel querying for admins and so on.

To living life on the edge! I blog my experiences @
I agree. Here's the link:
subject: Encrypting the Query String!
It's not a secret anymore!