Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to hide parameters passed in URL from a struts link page...

 
Ananth Chellathurai
Ranch Hand
Posts: 349
Eclipse IDE Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using a employee list page, from there I need to pass the employee id using html:link to a view page. Can any one help me how to hide the id passed in query string. When I use <html:link tag the id gets visible in the URL. I am not able to use <html:hidden as I dont have a html:form in my list page.

Thanks in Advance.
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry, but when you pass parameters in a link, there's no way to hide them. The only way to hide data from the query string is by submitting a form with method="POST".
 
Ananth Chellathurai
Ranch Hand
Posts: 349
Eclipse IDE Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your reply Merrill.

But I dont have a form as it is a list page. I am using logic:iterate to get all employee list. When I click view button, I have to pass the id of that employee which should not be visible in the URL as there are chances of other users apart from administrator to get in to the page. Can you help me what to do here?

Thanks in Advance.
 
Ananth Chellathurai
Ranch Hand
Posts: 349
Eclipse IDE Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can someone help me on this. I am running out of delivery this seems to be a security hole, when I change id values in the URL. Do anyone have a solution for this. :roll:
 
Paul Clapham
Sheriff
Posts: 21107
32
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes. Security belongs on the server. So if somebody passes a parameter to the server and tries to access something they shouldn't access, then the server code should reject it.
 
Ananth Chellathurai
Ranch Hand
Posts: 349
Eclipse IDE Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, I accept security should be part of server. Is it so there is no way to hide or scramble URL value?
 
Ananth Chellathurai
Ranch Hand
Posts: 349
Eclipse IDE Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Like what <html:hidden does. I need some equivalent to <html:hidden for non form pages.
[ November 23, 2007: Message edited by: Ananth Chellathurai ]
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't hide parameters in the query string, but you can encrypt them. You could simply encrypt the ID in the JSP and then unencrypt it in the Action Class. Below is a link to an open source project designed to encrypt query string parameters.

http://www.avedatech.com/Products/QueryCrypt/index.jsp
 
Ananth Chellathurai
Ranch Hand
Posts: 349
Eclipse IDE Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks a lot Merrill. I will try your suggestion.

Ananth
Sysvine
 
Brent Sterling
Ranch Hand
Posts: 948
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First, I wanted to point out that hidden field are not secure. Anybody with a few brain cells can install a browser plug-in that will let them change hidden fields. With that said it seems like it would be pretty easy to add a form to your page. The onclick of the link could set the value of a hidden field and submit the form.

The link that Merrill gave is interesting. I recall seeing another project that did similar things.

- Brent
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic