tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: URL Rewriting
Date Wed, 13 Jun 2012 08:50:43 GMT
Kiran Badi wrote:
> Hi All,
> For some of the functionality, I have url in the below format
> http://localhost:8080/mysite/
> What I was looking for is to hide the id part of the url and just show 
> something like
> http://localhost:8080/mysite/
> Is this hack possible with tomcat 7.011 or 7.027 or I need to write some 
> filter to do this?
> I have Tomcat 7.027 on win 7 home premium and url is generated via 
> servlet/jsp.


Why does that "id=17" visible in the URL bother you ?
Is it because of some security aspect ? (that the user could change it, and get something

else than what they should be getting ?)

1) If that is the case, then the basic logic of your application is flawed.  If this is 
information that really needs to be sent by the browser to the server, then the browser 
must have that information. And if that information originally comes from the server and 
is sent to the browser, then there is /nothing/ that you can do to block some user from 
playing around with it, before sending it back to the server.
If you do not want the user to be able to play around with some information, then don't 
send it to him in the first place.

2) if the browser /must/ send some information to the server as part of the URL, then 
there is /nothing/ that can be done on the server side, to stop the browser showing this 
information in the URL bar.

To illustrate this :
- imagine that the server sends a page to the browser, and this page contains a link like
<a href="http://localhost:8080/mysite/">click


Then the user, just by moving his mouse above "click here", sees the content of that link

at the bottom of his screen, in the status bar, right ?
And the user can right-click on "click here", and choose "copy link location".
And then the user can open another browser window, and paste this URL in the URL bar.
And then the user can modify this link before hitting the return button, so that the link

now looks like
right ?
And all this happens in the browser, /before/ the server even sees this browser request.
So what could the server do ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message