-
1. Re: Hide or encrypt url params
emiakoup Mar 23, 2009 8:08 PM (in response to mhdez)Hello,
perhaps this can help:
http://seamframework.org/Documentation/WebVulnerabilitiesAndCountermeasures -
2. Re: Hide or encrypt url params
norman Mar 24, 2009 3:53 AM (in response to mhdez)Are you talking about the conversation id?
-
3. Re: Hide or encrypt url params
mhdez Mar 25, 2009 4:00 PM (in response to mhdez)Yes, I'm...please help me if you can.
Greetings.
-
4. Re: Hide or encrypt url params
norman Mar 25, 2009 7:32 PM (in response to mhdez)You can create a custom conversation id generator for any conversation id strategy you like.
-
5. Re: Hide or encrypt url params
mhdez Mar 25, 2009 9:17 PM (in response to mhdez)Yes, but I need exactly change this:
http://localhost:8080/clients/admin.seam?cid=7
by:
http://localhost:8080/clients/admin.seam
It means to delete ?cid=7
I'm trying with URLRewriter 2.6 because I'm using Seam 2.0.0.GA I can not use <rewrite pattern...> in pages.xml and this comes with the 2.1.
Do you know how make it with <outbound-rule> tag ? -
6. Re: Hide or encrypt url params
swd847 Mar 25, 2009 10:07 PM (in response to mhdez)If you delete the cid your conversations will not work correctly. Why does it need to be hidden? It is not possible for a user to change the cid and end up in another users conversation, as they are session scoped. If you are not worried about this then what is the issue?
-
7. Re: Hide or encrypt url params
gardellajuan Mar 26, 2009 1:24 PM (in response to mhdez)Hi,
Here you can see some reasons why cid need to be hidden and show some solutions.
http://chiralsoftware.com/launching-a-jboss-seam-site/jboss-seam-problems.seam
-
8. Re: Hide or encrypt url params
kukeltje.ronald.jbpm.org Mar 26, 2009 4:57 PM (in response to mhdez)But that is a completely different reason... not security related (ok... could lead to a DOS, but that is a different thing)
-
9. Re: Hide or encrypt url params
norman Mar 26, 2009 8:09 PM (in response to mhdez)I think you need to figure out what exactly you are trying to accomplish and then re-ask the question.
-
10. Re: Hide or encrypt url params
vladknez Apr 27, 2009 9:53 PM (in response to mhdez)Hi!
Pretty similar problem, though, not with cid. It's with any param? Example: when I log to my seam app I get to the page for Distributor ... and URL is:
.../Distributor.seam?distributorId=3&cid=19308
if I just change that 3, into 2 (distributorId) ... i am watching at at data of the distributor with id 2. A major no-no!
I am new to all this, new at forum, lost 2 days on this what I think is rather trivial situation, played my self (don't laugh) with url rewrite all day long ... fuming frustrated... just can't solve this. :(
How do I hide those param values? How to hide that distributorId?
Thank you in advance. Best regards,
vlad -
11. Re: Hide or encrypt url params
domagals.jame Oct 13, 2009 1:57 AM (in response to mhdez)Hey, Have you found out a solution to this yet? I have the same issue.
Thanks
-
12. Re: Hide or encrypt url params
jeanluc Oct 13, 2009 4:11 PM (in response to mhdez)From whom do you want to hide the parameters from?
- if from anyone snooping the traffic, then use SSL
- if from the user (i.e. you don't want it to be part of the URL but sent via a HTTP POST), it has zero security value.
If you want to prevent the user of accessing other data (i.e. you want to have instance-level authorization), you need to design your back-end to enforce that and not rely on
hiding
the parameter. Even if you encrypt it, this is still vulnerable to capture-and-replay attacks. It sounds like you need to read more on application security, start with OWASP.