0

I have a page that does a redirect to another page however a parameter is passed in the redirect. In the Controller there is a url mapping that matches the url with a GET method. The get method takes the parameter and sets values on the display. The url looks like this:

http://localhost:1234/appName/pageName.htm?recNo=123

However it is very easy for the user to change the parameter value from 123 to any value and then refresh the page. Once the recNo the user enters is valid and the page is refreshed the data will be displayed. I want to allow the user to only be able to view the record for the recNo that was passed. I do not want the user to be able to modify the parameter in the url.

What is the best approach to handling this in Spring MVC? The method must be a GET aftr the page is redirected.

Improve this question
1
  • how if you make some validation in your function to ensure that user have right to access that recNo? Commented Apr 28, 2013 at 1:33

3 Answers 3

Reset to default
6

If you're request must be GET.. it means it must be stateless. It should not rely on what the user did in the last request, which also means that all the information required for the GET request to be executed properly should be contained within the GET request.

With that in mind, the only way to pass information in the URL is by making it a part of the URI, or as a URL parameter. So either /app/product/123 or /app/product?id=123

This exposes the URL to possible security vulnerability where the user can manipulate the id in the url,

There are two solutions:

  1. Implement a more robust system in the backend to check that the id referenced in the GET url is associated / allowed for the user who is trying to access the URL. Basically be more explicit and deliberate about asserting your security constraints. This method will fail if your users are unauthenticated users. (No login needed).

  2. The second solution is to expose an encrypted and encoded version of the id in the url. You should use a two way encryption though. So when the POST request completes, it encrypts and encodes the id and appends it to the subsequent GET request. When the GET request is received you decode and decrypt the url parameter to get the real id and show appropriate content. This method basically implies that it would be very difficult for a user to manipulate an ecrypted parameter such that it could be decrypted to produce a valid number. I often use AES encryption and Base 64 encoding.

Hope this helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I stored the parameter in the session and this did encryption for me as well. It also encrypts the parameter name so there is no way the user can know the parameter name or the value passed.
I think you missed my point.. with the id in the session, can you re-use the url in a different browser and still see the real results? if you cannot, than there's really no benefit of making the request GET is there? I meant encrypting it in the url so instead of /app/product/123 it would look like /app/product/ASDASD323423SDASD
I approached your second solution method and i was successful in applying encryption of the parameter value. The url did look like /app/product?id=%34&id=115&id=77&id=12 however how do i write a request mapping for such a url in the controller?
wait, why do you have multiple ids in the url now? In any case, you can map url parameters to method arguments using the @RequestParam annotations. If you are facing difficulties with a particular type of url and method signature, I suggest you start a separate question, it'll be easier to understand the problem.
3

if you are redirecting to page in the same application you can store this info in session use @SessionAtrribute

Improve this answer

6 Comments

How can i clear the session attribute once i am done with it i would like to clear it as soon as i display the record to the user
I need to remove the value as soon as i am done using it when i use session.setAttribute("recNo",0); the recNo still remains i have to close the browser and reopen it for the session attribute to loose the value
I even tried session.removeAttribute() and no luck. I need to remove it without having to close the browser and reopen it
you can use SessionStatus.setComplete() check this link vard-lokkur.blogspot.com/2011/01/…
@since 3.1 ,we can use RedirectAttributes and can have more control over object using .addFlashAttribute , or . addAttribute method
|
0

Assumption: If it is not mandatory to use "get" method.

I think, you can hide the parameters in URL by using "post" method , instead of "get" method.

In HTML form, you can add method="post" . Below is the example:

<form action="hello" method="post">
    <input type="text" name="name" /> <br>
    <input type="submit" title="Submit">
</form>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.