I have a page that does a redirect to another page however a parameter is passed in the redirect. In the Controller there is a url mapping that matches the url with a GET method. The get method takes the parameter and sets values on the display. The url looks like this:
http://localhost:1234/appName/pageName.htm?recNo=123
However it is very easy for the user to change the parameter value from 123 to any value and then refresh the page. Once the recNo the user enters is valid and the page is refreshed the data will be displayed. I want to allow the user to only be able to view the record for the recNo that was passed. I do not want the user to be able to modify the parameter in the url.
What is the best approach to handling this in Spring MVC? The method must be a GET aftr the page is redirected.
If you're request must be GET.. it means it must be stateless. It should not rely on what the user did in the last request, which also means that all the information required for the GET request to be executed properly should be contained within the GET request.
With that in mind, the only way to pass information in the URL is by making it a part of the URI, or as a URL parameter.
So either /app/product/123 or /app/product?id=123
This exposes the URL to possible security vulnerability where the user can manipulate the id in the url,
There are two solutions:
Implement a more robust system in the backend to check that the id referenced in the GET url is associated / allowed for the user who is trying to access the URL. Basically be more explicit and deliberate about asserting your security constraints. This method will fail if your users are unauthenticated users. (No login needed).
The second solution is to expose an encrypted and encoded version of the id in the url. You should use a two way encryption though. So when the POST request completes, it encrypts and encodes the id and appends it to the subsequent GET request. When the GET request is received you decode and decrypt the url parameter to get the real id and show appropriate content. This method basically implies that it would be very difficult for a user to manipulate an ecrypted parameter such that it could be decrypted to produce a valid number. I often use AES encryption and Base 64 encoding.
Hope this helps.
if you are redirecting to page in the same application you can store this info in session use #SessionAtrribute
Assumption: If it is not mandatory to use "get" method.
I think, you can hide the parameters in URL by using "post" method , instead of "get" method.
In HTML form, you can add method="post" . Below is the example:
<form action="hello" method="post">
<input type="text" name="name" /> <br>
<input type="submit" title="Submit">
</form>
Related
After submitting a form, calling an action and redirecting to show the jsp, the final url of the browser will show the action with the submit parameters as follows. Is it possible to hide the parameters ?
http://localhost:8080/myproject/login?username=aaa&password=123
Use "redirect" result type to send the redirect to the browser. The parameters should still be in your session/action context.
The comment by #sanbhat is right - use a POST request so that the parameters do not appear in the URL. Using browser dev tools or similar it's still possible to inspect the request and it's post data, there's nothing you can do about that.
In the final redirect to the result JSP, (which presumably shows what the user wrote on the form), then the fields can be populated by saving the results in session scope, so no need to have request parameters on the redirect URL.
i guess you are making a GET call here..
in the submit action make sure you specify method="post" so that password wont appear as parameter
You are using get method. Change it to post method. Example is:
form method="post" name="form name" action="Your action page"
use post method in the form , default is get so u always see the parameters in the url.
<form action="some.jsp" method="post">
We have a form with 2 input fields.
These allow a user to type in destinations to plan a flight.
We want to use an external servlet that allows us to use autocompletion on the fields
(e.g. type "LO" and it gets the matches for that - London Heathrow would be at the top)
The servlet can be found at a URL like this: http://www.companyname.com/servlet/ac.json?n=12&q=LO
with "n" being the amount of results it should return, and "q" being the query.
How do I call that servlet from my HTML form, everytime the input field changes?
The servlet is on a different domain than my page, and I have absolutely no other access than calling it with the URL I posted.
The response from the servlet will always be a JSON string like this:
[{"type":"airport","city":"Cape Town","airport":"International","iata":"CPT","country":"South Africa","locationId":"airport_CPT"},
{"type":"city","city":"Chicago, IL","airport":"All Airports","iata":"CHI","country":"United States","locationId":"US_city_CHI"},
{"type":"airport","city":"Victoria","airport":"CA","iata":"YYJ","country":"Canada","locationId":"airport_YYJ"}]
How do I call that servlet from my HTML form, everytime the input field changes?
I strongly belive ,you need AJAX for this.If you use a normal servlet and use a form to submit each time the page will reload.
And coming to same servlet part,
You can specify the method names in AJAX request
You can try with JSP page in place of Servlet. You can call it very easily and it will complete your purpose also. Otherwise AJAX is best for this type of problem.
What I want to do:
I have a form with a lot of fields(nick, email, name, surname, etc.) but the user has to fill Nick and Email first in order to be able to fill the other fields(this is because we want to check that the nick and mail aren't in use by another client before he can introduce the rest of his information(name, surname, etc.)).
So, the user introduces Nick and Email and then he must press a button named "Validate", if the values are available(successful validation) then the rest of the fields are enabled and the user can continue filling the form, otherwise the fields stay disabled and an error is showed to the user.
The form will be located in a JSP, it will be submitted to a Servlet, once in the servlet I must validate the information that is in the form(i have a .JAR file included in this servlet, the validation consists in calling a function from that library, the function returns a boolean) and then I must return back to the same JSP the boolean that will represent the result of the validate function.
Now in the JSP I must enable(or not, depending on the value of the boolean) the rest of the TextFields.
I'm not sure if this is right but i was trying to submit with the button and at the same time run a javascript(onclick) that will use this boolean value that the servlet sends back to the JSP after making the validation. The javascript consists on an IF sentence that evaluates the boolean and if it's true then it enables all the fields on the JSP.
Problems so far:
I was able to send the Nick and Email from the JSP to the Servlet and to make the validation of the values, now i have the boolean but i have no idea on how to send it from the Servlet to the same JSP and use it in the onclick event of the same button I used to submit the info. I don't even know if it's possible to do this...
I'd be grateful if someone could give me a hand with this, i'm newbie in Java programming so i would appreciate simple explanations if possible.
Also, if there is a better way of doing what i want please share it, and if there are any doubts ask and i will try to explain it better.
There is no need for JavaScript at all.
In your servlet you can store the validation result into the request context:
req.setAttribute('checkResult', checkResult);
where req is of type HttpServletRequest and checkResult is a Boolean.
Then you can forward to your JSP:
RequestDispatcher dispatcher = req.getRequestDispatcher("/your.jsp");
dispatcher.forward(req, resp);
In your JSP you can set your form elements as read only depending on the attribute checkResult which you have put into the request context:
<textarea name="text" cols="50" rows="10"
<%= request.getAttribute("checkResult") != null && request.getAttribute("checkResult") ? "" : "readonly" %>
>...</textarea>
So if the check is not valid then the <textarea> element will contain the readonly attribute. Otherwise readonly is not present.
As Roy mentioned AJAX is best suited for your problem. You can use DWR! , it makes normal java classes available as AJAX services, just call the method on them and get the result. So easy.
I think AJAX is more suitable for your application, which will not require to submit the whole form and you can send back the validation flag as plain responseText or well-formatted responseXML. Also you can use a lot of good javascript library such as jQuery that helps you send an AJAX request quickly and simply.
I am using Struts and Java. The problem is that I have a page with some results. The user can click an item and edit it. I want after editing the user to be able to return back to the results. Back isn't broken but if he submits the form for update he would have to click back 2 times I think and may have problem.
I have tried header("Referer") but this doesn't work in Internet Explorer.
I am trying to implement a solution. Any ideas? My idea is to save url and move around an ID of that url. And when I want to return back get the url from ID. Storing it in the session is not a solution because the user may have opened multiple windows.
Passing a URL as a request parameter may create security issues. Powerlord is right that the USER can alter the referrer header. This will allow the user to visit a page, something they can do anyway. More seriously, following a URL that is in a request parameter allows an attacker to send the user to a page of the attacker's choice, with the appearance that this page is recommended by your application. So the answer from BalusC can enable Cross-Site Request Forgery.
The best way is to pass it around as a request parameter. On the edit link or button, just pass the current URL along as request parameter. Here's an example with a link:
edit
Or if it's a button to submit a form, then rather pass it as hidden input value in the same form:
<input type="hidden" name="from" value="${pageContext.request.requestURI}">
In the page with the edit form, transfer it to the subsequent request as hidden input value of the form:
<input type="hidden" name="from" value="${param.from}">
In the action method, just redirect to that URL after finishing the action. Since I don't do Struts, I can't give a detailed Struts example, but here is how you would do it with "plain vanilla" Servlet, you must be able to port it to a Struts approach:
response.sendRedirect(request.getParameter("from"));
I've got several Portlets with some links in them, all I want is to hide the URL params. So I thought it would be easy to include some jQuery code, which builds a form for each and binds a click event on it to submit the form.
This does not work. The action request isn't hit for some reason.
Does anyone have a different suggestion for hiding URL parameters?
description of link
<form name="mydataform" id="mydataform" action="/actionurlonyoursite" method="post">
<input type="hidden" name="myparam" value="" />
</form>
<script type="text/javascript">
function handleThisLink()
{
// access the hidden element in which you wish to pass the value of the parameter
dojo.byId("myparam").value = "myvalue";
// the value might be precomputed (while generating this page) or
// might need to be computed based on other data in the page
// submit the form by HTTP POST method to the URL which will handle it.
document.forms['mydataform'].submit();
// also possible to actually send a background AJAX request and publish
// the response to some part of the current page, thus avoiding full
// page refresh
// I used dojo.byId() as a shortcut to access the input element
// this is based on dojo toolkit.
}
</script>
Links fire GET requests by default. You cannot fire HTTP GET requests without passing parameters through the URL. The only what can do this is HTTP POST. All parameters are then included in the request body. But you would need to replace all links by forms with buttons and you need to modify the server side code so that it listens on POST requests instead of GET requests to take actions accordingly.
Javascript can also fire GET requests just in "the background" with help of XMLHttpRequest, but when a client has JS disabled, your application will either break or still display the parameters. Also the client has full control over JS code, so it does not necessarily "hide" the parameters from the client, but only from the browser address bar.
You can using XMLHttpRequest to hide URL parameter or using session variable of servlet container.
Maybe you can using encode url to show complex data to end user.
good luck