ansaurus

Question

Answer 1

A:

You have to suppose that any user can send anything to you. The solution isn't avoiding users to send data in URL, it's to control that they can in fact do the following operation.

You need authentication and authorizations.

How to use authentication with your web.xml

Defining Security Requirements for Web Applications

Colin Hebert 2010-08-20 07:59:11

@Colin, that was fast. I havent really read about Security and would browse the link you have given later. But I have created a Servlet Filter that intercepts all request and check for an object in their session.This is my first authentication scheme after they have successfully login.I would like to know, how do the sites that I have visit created such links as [http://somesite/app.htm?id=3748asghks373]I think they are doing some sort of encryption here. Am I right?

Mark Estrada 2010-08-20 08:14:42

It isn't really an encryption, it's more like a ticket to access a resource. But with this kind of link, users can't exchange links to share informations.Think like this :What if on amazon.com (or any other web-site) links were all like this. What if you couldn't exchange informations you're reading.If you really don't want informations to be shared, you could still use tickets that says "For this ticket, if the user is who he pretends to be, then the value will be ..."But it's really heavy for the use case you gave us (just editing some informations).

Colin Hebert 2010-08-20 08:30:31

Answer 2

+2 A:

I think this is a little weak, is there a way where I could provide a more secure way other than this.

You have to define "secure" on the basis of your application. The requirements are totally different for a public website selling books v/s a private library hosting confidential volumes v/s anything other application in between.

At a minimum, you should do the following -

Verify that bookID is in fact an Integer and is within an expected range.
Ensure that you bind bookid in a parameterized SQL Query - this is to prevent SQL Injection.
Show a 'Book not found' page if the book cannot be found

For a public website, the above is enough. You actually want people to discover your books, so if someone modifies the bookID, you shouldn't care.

For a secure library, you have to do a lot more.

Ensure that the URL is protected in web.xml, so only authenticated and authorized users can get to the URL
Verify the current user has access to the bookID. You can store the list of books available to a user in the session object.
If the user does not have access, return a 403 error page.

There are several other strategies to protect URLs; some use tokens to ensure the URL hasn't been manipulated. Others don't send bookID to the client, and instead rely on number {1 through n} where only the server knows that 1 corresponds to Book A and so on. But the idea is to ensure that a user doesn't get access to a book he doesn't have permissions to.

If you are using Spring, I'd highly recommend Spring Security. Otherwise look into JAAS.

sri 2010-08-20 12:52:00

ansaurus

tags:

views:

answers:

Servlet Parameter Encryption

related questions