URL encoding issue

**Balkeshwar** · Jan 25th, 2011, 01:37 AM

Hi All,
I am usong Spring 1.2 version and whenever i use redirectView object for redirecting the request object is displayed in URL.
Please help.

**leveiji7** · Jan 25th, 2011, 02:54 AM

can you put out some code and eventually your request witch displayed in URL, this will help us

**Balkeshwar** · Jan 25th, 2011, 03:13 AM

Hi,
below is the URL http://localHost:8090/myApplication/...010&empNo=9012

So in the controller I am jut forwarding the it to timesheet.htm as follows

public ModelandView showForm(reqquest,response,error,commandObject){

model.put("month",1);
model.put("year",2010);
model.put("empNo",9012);

ModelAndview mvc = new ModelAndView(new RedirectView("timesheet.htm"));
mvc.addObject("EMP_DETAIL",model)
}

so in the address bar the below URL is displayed http://localHost:8090/myApplication/...010&empNo=9012

because of which any one can modify the empNo and view the record of another user . So need to prevent the display of the parameter while redirecting to the htm.

Thanks

**leveiji7** · Jan 25th, 2011, 03:34 AM

I think you should be able to use hashing mecanisme to hash the wonted parameter

**Luke Taylor** · Jan 25th, 2011, 05:51 AM

Exposing data in the URL is a very basic issue with web security and a very common problem. Are you actually using Spring Security? If you are then you should secure your service layer appropriately so that a user cannot access accounts they are not permitted to. Watch the Spring One 2010 presentation on the website which has a holiday booking application which is a very similar use case to a timesheet app.

Hashing the parameter will not add any security. For a start you will not be able to work out the original value at the server, since hash algorithms are generally irreversible. And if you are just using a hash as an alternative to the numeric parameter, then it is of exactly the same value to an attacker as the numeric ID - it is an opaque key which can be used to specify the user.

**Balkeshwar** · Jan 25th, 2011, 07:33 AM

Hi,
I have the made the finding after extractiing the classes from Spring web 1.2 version and Spring 2.5 version it was found that the class redirect has a method renderMergedOutputModel() .
So if we are using the version 2.5 then we have a parameter in the Constructor exposemodelAttribute based on the condition if it is true then the method appendQueryProperties is called which is responsible for adding the model object in header.
This is missing in Spring 1.2 and was added in Spring 2.0 version.
So could please anyone help me in encoding the url using base64 encoding.

the setencodingSchema does not support the base64 encoding.

Thanks,

**leveiji7** · Jan 25th, 2011, 08:07 AM

Hello,

I have said hashing parameter to hid the true value of parameter, but since it is impossible to hid the parameters values, I guest you should implement a security layer, the goal of this new 'module' is to deny any access on the data store without having the requirement rights.

let you try to make this with Spring security or ACEJI

best wishes

Thread: URL encoding issue

Thread Tools

Display

URL encoding issue

Re:-

Re

Posting Permissions