aspose file tools*
The moose likes Struts and the fly likes How to hide parameters passed in URL from a struts link page... Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "How to hide parameters passed in URL from a struts link page..." Watch "How to hide parameters passed in URL from a struts link page..." New topic
Author

How to hide parameters passed in URL from a struts link page...

Ananth Chellathurai
Ranch Hand

Joined: Nov 21, 2007
Posts: 349

I am using a employee list page, from there I need to pass the employee id using html:link to a view page. Can any one help me how to hide the id passed in query string. When I use <html:link tag the id gets visible in the URL. I am not able to use <html:hidden as I dont have a html:form in my list page.

Thanks in Advance.


Ananth Chellathurai [Walk on software]
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
Sorry, but when you pass parameters in a link, there's no way to hide them. The only way to hide data from the query string is by submitting a form with method="POST".


Merrill
Consultant, Sima Solutions
Ananth Chellathurai
Ranch Hand

Joined: Nov 21, 2007
Posts: 349

Thanks for your reply Merrill.

But I dont have a form as it is a list page. I am using logic:iterate to get all employee list. When I click view button, I have to pass the id of that employee which should not be visible in the URL as there are chances of other users apart from administrator to get in to the page. Can you help me what to do here?

Thanks in Advance.
Ananth Chellathurai
Ranch Hand

Joined: Nov 21, 2007
Posts: 349

Can someone help me on this. I am running out of delivery this seems to be a security hole, when I change id values in the URL. Do anyone have a solution for this. :roll:
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18907
    
    8

Yes. Security belongs on the server. So if somebody passes a parameter to the server and tries to access something they shouldn't access, then the server code should reject it.
Ananth Chellathurai
Ranch Hand

Joined: Nov 21, 2007
Posts: 349

Yes, I accept security should be part of server. Is it so there is no way to hide or scramble URL value?
Ananth Chellathurai
Ranch Hand

Joined: Nov 21, 2007
Posts: 349

Like what <html:hidden does. I need some equivalent to <html:hidden for non form pages.
[ November 23, 2007: Message edited by: Ananth Chellathurai ]
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
You can't hide parameters in the query string, but you can encrypt them. You could simply encrypt the ID in the JSP and then unencrypt it in the Action Class. Below is a link to an open source project designed to encrypt query string parameters.

http://www.avedatech.com/Products/QueryCrypt/index.jsp
Ananth Chellathurai
Ranch Hand

Joined: Nov 21, 2007
Posts: 349

Thanks a lot Merrill. I will try your suggestion.

Ananth
Sysvine
Brent Sterling
Ranch Hand

Joined: Feb 08, 2006
Posts: 948
First, I wanted to point out that hidden field are not secure. Anybody with a few brain cells can install a browser plug-in that will let them change hidden fields. With that said it seems like it would be pretty easy to add a form to your page. The onclick of the link could set the value of a hidden field and submit the form.

The link that Merrill gave is interesting. I recall seeing another project that did similar things.

- Brent
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to hide parameters passed in URL from a struts link page...