struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephane Cosmeur <cosm...@gmail.com>
Subject Re: Encrypting parameters
Date Thu, 03 Jun 2010 07:27:46 GMT
Thank you for your answers. they are useful but not quite appropriate with
my problem.
I dont want my application be that secure. So i dont think i need SSL or
HTTPS event if it could be good.

I am going to give a concrete example :
A user can have any contacts, he can delete it. His contacts are listed in a
html table and each row has a delete link which call an action.
Then i construct my url like this :
<s:url id="deleteALaCarteEntry" action="DeleteALaCarteEntry">
<s:param name="id" value="id"/>
</s:url>
<td><s:a href="%{deleteALaCarteEntry}">Delete</s:a></td>

In that case, how can i hide my id parameters ?

If it's not posible i guess my only solution is to check in the server side
if the contact is present in the list of the user.

In that case i would like to find a generic solution to apply the test, not
only for contact, but for company, supplier, orders, ..., as well.

Regards

2010/6/3 Vishnu Vyasan Nelliparmbil <vishnu@mun.gov.bh>

> Hi,
>
> The advantage of the post parameter is that it can't be viewed by the user
> in the url. But a attacker can still edit the header and attack the
> application without much trouble.
>
> To improve security you can validate the parameter properly where you
> receive the parameter. For example number only or does not contains invalid
> characters in  string for eg, <,>,_ ,/, etc  like that.
>
> Another good thing will be to implement SSL.
>
> Now you can also go to OWASP and download the different security  scanners
>  and scan for the security loop holes.
>
> Best Regards
> Vishnu NV
>
> -----Original Message-----
> From: Rahul Mohan [mailto:rahul.mohan@tcs.com]
> Sent: Thursday, June 03, 2010 8:44 AM
> To: Struts Users Mailing List
> Subject: Re: Encrypting parameters
>
> Hi,
>
> I don't think its a good idea to expose the URLs to the users in a secure
> application. Avoid GET requests and stick to POST. Also, sticking to
> request forwarding instead of redirects will keep the URL fixed on the
> browser's address bar. You might have some issues with back button because
> of this, but in most business applications this is OK since going back one
> step in some process is anyways not allowed. Combined with HTTPS this will
> give you good enough protection against eavesdropping. But, to protect
> data access, you would still need to enforce some access control on the
> data based on the user credentials.
>
> cheers,
> Rahul Mohan
>
>
>
> From:
> Stephane Cosmeur <cosmeur@gmail.com>
> To:
> Struts Users Mailing List <user@struts.apache.org>
> Date:
> 03-06-2010 08:53
> Subject:
> Encrypting parameters
>
>
>
> Hello,
>
> I would like to improve the security of my web application. My problem is
> I
> would like to encrypt the visible parameters in the URL to prevent user to
> change it to access data he should not see.
> At start i thought the simple attribute encode of s:url will work for what
> i
> need, but it's not the case. Then i don't believe a such useful feature is
> implemented in struts 2.
>
> So what is the best solution to perform it ?
>
> I was thinking to an interceptor which unencrypt each request for each
> action and a java function which encry the url in each jsp, but i'm not
> sure
> it's the good way to do it.
>
> Any help would be appreciated !
>
> Regards
>
> --
> St├ęphane Cosmeur
>
>
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
St├ęphane Cosmeur

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message