tags:

views:

43

answers:

1

I am an unwilling JSP/Java noob. I've been asked to hurriedly write up a system for generating secure urls from one site to another. The actual request string (must be passed as GET request) needs to be encrypted or otherwise obfuscated so that the user cannot easily change it to request someone else's document. Because of limitations in the environment, I cannot simply manage the request in a session and really must do it this way.

A sample of what I need:

page1.jsp: a 7 digit number is generated by our system and needs to be passed to http://otherserver.com/page2.jsp. If the user sees this number, it will be obvious what it represents, and no other number can be used for this purpose.

The number should be encrypted or otherwise obfuscated in page1.jsp code and built into a URL to page2.jsp that can be decrypted / unobfuscated easily.

Thank you for your help!

+2  A: 

I wouldn't bother to try to obfuscate it.

Instead, if the two servers can share a common secret, you can use keyed-hashing (see javax.crypto.Mac) to generate keyed hashes for the document number, which is passed to the other server along with the document number.

The target server can then easily verify that the keyed hash corresponds to the document number, and easily detect attempts to modify it.

Chris Jester-Young
Bruce the Hoon
I decided to use MD5+salt, but same end result. Thanks for pointing me in the right direction!
Bruce the Hoon