It's not a secret anymore!*
The moose likes Servlets and the fly likes Encoding action Url for increasing the web app security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Encoding action Url for increasing the web app security" Watch "Encoding action Url for increasing the web app security" New topic
Author

Encoding action Url for increasing the web app security

Ravi Sree
Ranch Hand

Joined: Jan 24, 2010
Posts: 62

Hi All,

I am working on web project on using servlets, filters, jsp, JDBC, etc .
In this, I plan to use common Patterns like
Front Controller, Command, DAO, Abstract Factory, Factory etc.
So far I was able to design the model layer(bo, dao, dto layer).
Now, If the user wants to go the user's home page from a certain page,
the url as of now will be
./user/Home

which when encountered by the controller using the Command Pattern
will instantiate the action
com.abc.user.Home
to handle the request.

I feel this action url can be encoded for more security even without using https.

I am aware about the encodeUrl(String) which adds the sessionId to the url.
But is there anything more that can be done to ensure security.

I will appreciate your opinions regarding this.

Regards,
Sree

P.S. Please feel free to elaborate if i need to be more clear about my question.
Madhan Sundararajan Devaki
Ranch Hand

Joined: Mar 18, 2011
Posts: 312

In my opinion, instead of writing your own Framework (unless you are a Framework developer) you may use the popular frameworks such as Struts2 or Spring etc... to solve your business problems at the earliest. The popular frameworks also offer security and performance.


S.D. MADHAN
Not many get the right opportunity !
Ravi Sree
Ranch Hand

Joined: Jan 24, 2010
Posts: 62

Madhan Sundararajan Devaki wrote:In my opinion, instead of writing your own Framework (unless you are a Framework developer) you may use the popular frameworks such as Struts2 or Spring etc... to solve your business problems at the earliest. The popular frameworks also offer security and performance.


Hi Madhan,

Thanks for replying,

I agree to your point of "not-trying-to-reinvent-the-wheel",
and although I went through some of the framework codes,
i could not fully understand the flow details.

Here what i am really trying is get the thorough knowledge
by working up from the scratch.

I hope i am not being unreasonable.

Regards,
Sree
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60782
    
  65

Encoding of any kind offers no security benefits at all. Perhaps you meant encrypting?

But in any case, no you cannot encode or encrypt the URL in any way and expect things to work. What security issue are you trying to avoid? I think you are just tilting at windmills.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Ravi Sree
Ranch Hand

Joined: Jan 24, 2010
Posts: 62

Hi Bear,

By means of terms, yes i meant encrypting.

Regards,
Sree
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60782
    
  65

You can encrypt values in the URL but not the complete URL. The context path and servlet path must be in clear text. No security issues are introduced by having these paths in clear text.
Ravi Sree
Ranch Hand

Joined: Jan 24, 2010
Posts: 62

Bear Bibeault wrote:You can encrypt values in the URL but not the complete URL. The context path and servlet path must be in clear text. No security issues are introduced by having these paths in clear text.


Thanks Bear,

I got your point.
Upon searching some security issues,
I found something like 'packet-sniffing', 'cross site request forgery', etc.
How can I prevent the requests to from such attacks (which is what I originally meant by improving security, )
Also can you put some light on what is 'Base64' encoding type & why is it used in real-life situations.

Regards,
Sree
Madhan Sundararajan Devaki
Ranch Hand

Joined: Mar 18, 2011
Posts: 312

To avoid the problems you have just described, please use https instead of http.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15957
    
  19

To expand on Madhan's recommendation: packet sniffing isn't the issue. Unless every millimetre of the cable between client and server are physically isolated, people can sniff packets. Even then you're not totally safe, since tricks like monitoring the "radio noise" generated by computers and network equipment have been done.

The key is to make the "sniffed" data unusable, and that means encrypting the packets themselves. You can't encrypt EVERYTHING, since things like the destination IP address in the packet header have to be readable by network routers. But you can encrypt the payload, and that's the important part.

The easiest way to do that is to employ Transport Layer Security (TLS). When using web protocols, that means using https instead of http. When you do that, the client and server will negotiate the most secure common encryption protocol that they both understand and employ it. This negotiation is transparent, but very important, since periodically someone manages to "break" an encryption technique, and a new scheme must be used instead. Since you don't want to have people scrambling to reset their security framework (or worse yet, rebuild all the webapps), this plug-in approach keeps the whole thing manageable.

BASE64 isn't really encryption, except briefly in the minds of some people at Adobe, perhaps. It's just a very predictable method for rearranging bits.


Customer surveys are for companies who didn't pay proper attention to begin with.
Ravi Sree
Ranch Hand

Joined: Jan 24, 2010
Posts: 62

Hi Madhan and Tim,

I totally understood your explanation.
I will look more into details in this topic.
Thanks.

Regards,
Sree
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

As others have said, just use HTTPS, that's what it was designed for. Its been used in production for well over a decade. Its a solved problem.

Now, if you want to increase system security and reliability, do not ever trust anything coming from the browser.
Ravi Sree
Ranch Hand

Joined: Jan 24, 2010
Posts: 62

Pat Farrell wrote:As others have said, just use HTTPS, that's what it was designed for. Its been used in production for well over a decade. Its a solved problem.

Now, if you want to increase system security and reliability, do not ever trust anything coming from the browser.


Got it Pat, Thanks

Regards,
Sree
 
wood burning stoves
 
subject: Encoding action Url for increasing the web app security
 
Similar Threads
Authentication with JDBC Realms and MVC pattern (Controller servlet)
PetStore EJBControllerLocalEJB ...Why is it used..
Application flow
JAR the web-application or use WSDL/SOA ?!?!
learn advanced Struts.