Return-Path: 
 <users-return-234879-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 1899F9A28
	for <apmail-tomcat-users-archive@www.apache.org>;
 Wed, 13 Jun 2012 19:29:22 +0000 (UTC)
Received: (qmail 729 invoked by uid 500); 13 Jun 2012 19:25:53 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 66796 invoked by uid 500); 13 Jun 2012 19:24:47 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 77811 invoked by uid 99); 13 Jun 2012 18:13:01 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Jun 2012 18:13:01 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [209.85.220.173] (HELO mail-vc0-f173.google.com)
 (209.85.220.173)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Jun 2012 18:12:53 +0000
Received: by vcbfo13 with SMTP id fo13so693454vcb.18
        for <users@tomcat.apache.org>; Wed, 13 Jun 2012 11:12:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=message-id:date:from:organization:user-agent:mime-version:to
         :subject:references:in-reply-to:content-type
         :content-transfer-encoding:x-gm-message-state;
        bh=ya4ejxLGgWMdKchJC18eB20f7F5Gvmwt7Zs9rHbeUdQ=;
        b=hOESNgseumj6ho5M7N/zCzbuJpiIaLnyOnva2ndhB+jgG4XWZxIcVyKh8FGsfP+cwD
         dGJkxlZkrmU3Um2xfGBIr43IP9ecWonB5KXdPNDREplPfD6ulORHlahHTmmKTsi2GoEB
         9ktaCrQwsS1151v4Vst0rseEfJv5dPtnKNnbgdgBvnz4q7Fks0cd2hfa1lJnMfYgPfEY
         9i3pUYLyhtGtrDr24/gHwSLES/RSBxJkOju01ZQO91LIk0JDrkUIc2KRwJxqkyGb8Rzc
         XOYwzebs9cpAnMUQ0yo0eJYpVVn1XmJ78bruDbakJZG58ENcRP19AGdBBJqxEyUJJNIM
         6vog==
Received: by 10.221.13.77 with SMTP id pl13mr5069603vcb.49.1339611151607;
        Wed, 13 Jun 2012 11:12:31 -0700 (PDT)
Received: from [192.168.1.6] (c-68-45-12-151.hsd1.nj.comcast.net.
 [68.45.12.151])
        by mx.google.com with ESMTPS id l9sm2696894vdw.14.2012.06.13.11.12.29
        (version=SSLv3 cipher=OTHER);
        Wed, 13 Jun 2012 11:12:30 -0700 (PDT)
Message-ID: <4FD8D80A.4040704@poonam.org>
Date: Wed, 13 Jun 2012 23:42:26 +0530
From: Kiran Badi <kiran@poonam.org>
Organization: www.poonam.org
User-Agent: Mozilla/5.0 (Windows NT 6.1;
 rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: URL Rewriting
References: <4FD80726.5050408@poonam.org> <4FD85463.1060608@ice-sa.com>
In-Reply-To: <4FD85463.1060608@ice-sa.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: 
 ALoCoQm3cuUw3JcUQzUsBmGrpN0zRtT8MmbcayqYKpmXmaJ7jLr3O5pEo+CPkRapSwDHzvhTnDP9
X-Virus-Checked: Checked by ClamAV on apache.org

Please inline for my answers Andre.

Kiran,
>
> Why does that "id=17" visible in the URL bother you ?
> Is it because of some security aspect ? (that the user could change 
> it, and get something else than what they should be getting ?)
Thanks for reminding this aspect.I was not checking for empty resultset 
in my code.Fixed that one now.:)
>
> 1) If that is the case, then the basic logic of your application is 
> flawed.  If this is information that really needs to be sent by the 
> browser to the server, then the browser must have that information. 
> And if that information originally comes from the server and is sent 
> to the browser, then there is /nothing/ that you can do to block some 
> user from playing around with it, before sending it back to the server.
> If you do not want the user to be able to play around with some 
> information, then don't send it to him in the first place. O
Ok let me share the way I wrote this piece,

href="<%=request.getContextPath()%>/getmyservice.do?id=${myid}"> , this 
is link basically where I append the id(id comes from DB) send this to 
the servlet and it the pulls the records from db for corresponding id 
and then sends it back again to JSP for display.But I am not able to 
figure out as why I not getting the url of jsp something like

http://localhost:8080/ourstory/myiddata.jsp

.So thought that let me try to rewrite the url in case if its possible.
>
> 2) if the browser /must/ send some information to the server as part 
> of the URL, then there is /nothing/ that can be done on the server 
> side, to stop the browser showing this information in the URL bar.
>
> To illustrate this :
> - imagine that the server sends a page to the browser, and this page 
> contains a link like :
> <a 
> href="http://localhost:8080/mysite/getmyservice.do?id=my-very-secret-information">click 
> here</a>
>
> Then the user, just by moving his mouse above "click here", sees the 
> content of that link at the bottom of his screen, in the status bar, 
> right ?
> And the user can right-click on "click here", and choose "copy link 
> location".
> And then the user can open another browser window, and paste this URL 
> in the URL bar.
> And then the user can modify this link before hitting the return 
> button, so that the link now looks like
> http://localhost:8080/mysite/getmyservice.do?id=some-other-information
> right ?
> And all this happens in the browser, /before/ the server even sees 
> this browser request.
> So what could the server do ?
This is interesting information,how about sending the info as POST 
rather than Get.Not sure if I can convert clicking of the link from get 
from post.but I will try.But again the place where I am displaying the 
generating the links, is not within form, they just hyperlinks with id 
appended to it.

Now I know both get/post can be broken if one wants it,thats all 
together is different case,but for now I need tidy and clean url with no 
id appended to it.

Does my requirement makes sense ?

>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org