|
|
URL Parameter Encryption
Howdy,
I wondering if anyone knows of a simple way to accomplish the
following?
1. Page1.jsp contains a form where the user inputs their username and
password. This is verified against a database (mySQL) and if the user
is authenticated they are sent to Page2.jsp along with their UserID
which was retrieved from the database. (If the user fails to
authenticate here; they are sent to Page3.jsp which informs them they
failed and has a link to take them back to Page1.jsp to try again).
[Note: This is working fine.]
2. Page2.jsp takes the UserID and asks the database for the PictureID
of all pictures in the database the user is allowed to see.
[Note: This is working fine.]
3. On Page2.jsp a list of links each one representing a picture the
user is allowed to view is list; each link looks like this:
a. <A
HREF="http://www.foo.com/servlet/servlet1?param1=1">Picture1</A>
b. <A
HREF="http://www.food.com/servlet/servlet1?param1=5">Picture2</A>
[Note: The pictures are stored in a table with the PictureID as one
column and the picture itself as another column. This is also working
fine].
4. The links call the servlet servlet1 and pass param1 into the
servlet. The servlet display associated picture. [Note: This is also
working fine].
Here's my problem; if a user submits a request to servlet1 - they can
pass in any parameter and retrieve any picture. I only want them to
retrieve the pictures they are authorized for (i.e. only the pictures
where the PictureID has been given to them from the database).
I think I could solve my problem by doing the following - (this is
where I think I need help).
If I encrypt the parameter string as follows:
5. On Page2.jsp when the JSP asks the database for a list of all
PictureID's for a given username; at that point on the database returns
the list; when the page gets the list - in Java I call a function to
encrypt the PictureID.
6. When a user clicks on a link; when the servlet get's my encrypted
PictureID; the servlet then decrypts it.
Therefore:
1. Is this reasonable?
2. Am I missing something?
3. Is there a better way to do this?
4. Would you have any suggestions how I might easily encrypt and
decrypt this thing?
Thanks,
Tony
|
|
0
|
|
|
|
Reply
|
 t_carbon (2)
|
6/25/2005 11:03:11 PM |
|
Well, the "proper" way to do it is to only write Page2.jsp, and leave the
rest to "Form based authentication".
The action of the login form is j_security_check.
Your login html page should look like this:
<form method="post" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
</form>
With form based authentication, you define a login and a login error html
file protecting urls (in this case your page2.jsp).
When you try to invoke page2.jsp, the container will call the login page you
specified automatically.
You find out what the user logged in as using a call to
request.getUserPrincipal() or getRemoteUser();
For a better explanation try here:
http://www.onjava.com/pub/a/onjava/2002/06/12/form.html
This does however leave you a problem as to how you are configuring your
users. You probably have 3 choices - OS authentication (probably a very bad
idea), LDAP Server or a CustomUserRegistry.
If you decide that's all too complicated for now, and you want to go with
what you have already written, then you want to have page1 stick the
username in the session, and have page2 retrieve it from the session to find
out what images to display. That way you are not passing in the username in
the request at all.
Dave Milne, Scotland
"Tony" <t_carbon@yahoo.com> wrote in message
news:1119740590.975875.263880@o13g2000cwo.googlegroups.com...
> Howdy,
>
> I wondering if anyone knows of a simple way to accomplish the
> following?
>
> 1. Page1.jsp contains a form where the user inputs their username and
> password. This is verified against a database (mySQL) and if the user
> is authenticated they are sent to Page2.jsp along with their UserID
> which was retrieved from the database. (If the user fails to
> authenticate here; they are sent to Page3.jsp which informs them they
> failed and has a link to take them back to Page1.jsp to try again).
> [Note: This is working fine.]
>
> 2. Page2.jsp takes the UserID and asks the database for the PictureID
> of all pictures in the database the user is allowed to see.
> [Note: This is working fine.]
>
> 3. On Page2.jsp a list of links each one representing a picture the
> user is allowed to view is list; each link looks like this:
> a. <A
> HREF="http://www.foo.com/servlet/servlet1?param1=1">Picture1</A>
> b. <A
> HREF="http://www.food.com/servlet/servlet1?param1=5">Picture2</A>
> [Note: The pictures are stored in a table with the PictureID as one
> column and the picture itself as another column. This is also working
> fine].
>
> 4. The links call the servlet servlet1 and pass param1 into the
> servlet. The servlet display associated picture. [Note: This is also
> working fine].
>
> Here's my problem; if a user submits a request to servlet1 - they can
> pass in any parameter and retrieve any picture. I only want them to
> retrieve the pictures they are authorized for (i.e. only the pictures
> where the PictureID has been given to them from the database).
>
> I think I could solve my problem by doing the following - (this is
> where I think I need help).
>
> If I encrypt the parameter string as follows:
>
> 5. On Page2.jsp when the JSP asks the database for a list of all
> PictureID's for a given username; at that point on the database returns
> the list; when the page gets the list - in Java I call a function to
> encrypt the PictureID.
>
> 6. When a user clicks on a link; when the servlet get's my encrypted
> PictureID; the servlet then decrypts it.
>
> Therefore:
>
> 1. Is this reasonable?
> 2. Am I missing something?
> 3. Is there a better way to do this?
> 4. Would you have any suggestions how I might easily encrypt and
> decrypt this thing?
>
> Thanks,
>
> Tony
>
|
|
|
0
|
|
|
|
Reply
|
 Dave
|
6/25/2005 11:35:56 PM
|
|
Dave,
Thanks for answering so quickly. You've given me quite a bit to think
about - sounds like I was barking up the wrong tree.
I'll look at changing the login stuff.
So if I put the information in the session - it is not visible to the
user if they sniff their own system nor therefore can they change it?
Thanks,
Tony
|
|
|
0
|
|
|
|
Reply
|
Tony
|
6/25/2005 11:46:51 PM
|
|
Yes. Put simply, the way the session works is that the browser passes each
time a "session id" either in a cookie or in a parameter called jsessionid.
The App Server uses this as a key to identify a collection of data held in
the AppServer. Since the data is held on and never leaves the server
(replication between app servers aside), it isn't easily sniffable.
Check out the HttpSession documentation.
You create a session by doing myRequest.getSession(true);
You store attributes in it by doing mySession.setAttribute("key","value")
and retrieve values by doing mySession.getAttribute("key").
Dave Milne, Scotland
"Tony" <t_carbon@yahoo.com> wrote in message
news:1119743211.614697.8160@f14g2000cwb.googlegroups.com...
> Dave,
>
> Thanks for answering so quickly. You've given me quite a bit to think
> about - sounds like I was barking up the wrong tree.
>
> I'll look at changing the login stuff.
>
> So if I put the information in the session - it is not visible to the
> user if they sniff their own system nor therefore can they change it?
>
> Thanks,
>
> Tony
>
|
|
|
0
|
|
|
|
Reply
|
Dave
|
6/26/2005 12:20:23 AM
|
|
|
3 Replies
257 Views
(page loaded in 0.106 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
1258 articles. 
2 followers. 