hide url

[mavisakal]

Is there a way to hide the url in the address bar with Acegi security system. I 'm using <B>get</B> as form method(because I want my clients to use back button without seeing re-submit popup warning that browsers show-up). And now users of the web application can see and change the request parameter values from the address bar. Is there a way to prevent this.
Thanks...

[Ben Alex]

I understand you using GETs instead of POSTs to avoid duplicate page submission warnings.

Ideally your web controller would simply bind the parameters to a form backing object or private variables, then submit it to a services layer method. If the principal doesn't have privileges to perform the operation, it should be blocked by Acegi Security at the services layer level. This can help you with method invocation protection or ACL security.

Alternatively, you can try to block this sort of thing at the web request level, but I wouldn't recommend it.

In some cases you might prefer to have a hash=xxx GET parameter. It could be the hash of the remaining GET parameters and some private key. As such, when the principal clicks a link your system generated, it will work. But if they just changed a parameter, you'd be able to detect that. If your needs are reasonably simple and not widespread throughout the application, this is probably the way to go. If your needs are complicated or frequent throughout the application, use services layer security.