• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Encrypting the Query String!

 
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All Ranchers,

Struts Version : 2.2.1.1
Objective : To encrypt the queryString passed as URL params.

Eg. https://localhost:8443/T/dLoadAction.do?id_=567&discr=P
should be changed to https://localhost:8443/T/dLoadAction.do?enc=126938adjkdak78133189
or likewise.

1: I am already using https to prevent sniffing from outside, but here I am worried about the insiders poking into
somebody else's domain by tampering the id_ parameter etc.

2. I cannot use POST in these cases. ( And anyway they can also be tracked from the headers)

Note the below 2 cases : 1st one is a redirect from a saveAction to prevent duplicate transaction on refresh

a> In my struts.xml I have the below setup

b> In my Menu.jsp, I have the following



Can anybody please help me in this regard? I have fiddled a lot with the options which Google provided me, like
modifying the s:url / s:param to encrypt the params.
I also fiddled with ParametersInterceptor.
I tried that as well and many other things,but still none of them
work satisfactorily. Can somebody please shed some light on how this can be done?
This is a bit critical so I would really really .. really (yeah, 1 more to "really" show how I feel at the moment )
appreciate if anybody could help me in this regards.

Thanks a lot for your time in advance.
Anirban.


P.S: I am also trying to implement an authorization mechanism which will enable me to track is somebody is trying to access any data which does not belong to him.
This involves a database querying for the logged in user and seeing to which entities he is actually tagged to. This will probably always work, but it becomes a maintenance nightmare,as we have to keep updating the query for any new types added and not to mention the multilevel querying for admins and so on.








 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic