Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / June 2005

Tip: Looking for answers? Try searching our database.

URL Parameter Encryption

Thread view: 
Enable EMail AlertsStart New Thread
Tony - 26 Jun 2005 00:03 GMT
Howdy,

I wondering if anyone knows of a simple way to accomplish the
following?

1. Page1.jsp contains a form where the user inputs their username and
password.  This is verified against a database (mySQL) and if the user
is authenticated they are sent to Page2.jsp along with their UserID
which was retrieved from the database.  (If the user fails to
authenticate here; they are sent to Page3.jsp which informs them they
failed and has a link to take them back to Page1.jsp to try again).
[Note: This is working fine.]

2. Page2.jsp takes the UserID and asks the database for the PictureID
of all pictures in the database the user is allowed to see.
[Note: This is working fine.]

3. On Page2.jsp a list of links each one representing a picture the
user is allowed to view is list; each link looks like this:
  a. <A
HREF="http://www.foo.com/servlet/servlet1?param1=1">Picture1</A>
  b. <A
HREF="http://www.food.com/servlet/servlet1?param1=5">Picture2</A>
[Note: The pictures are stored in a table with the PictureID as one
column and the picture itself as another column.  This is also working
fine].

4. The links call the servlet servlet1 and pass param1 into the
servlet.  The servlet display associated picture.  [Note: This is also
working fine].

Here's my problem; if a user submits a request to servlet1 - they can
pass in any parameter and retrieve any picture.  I only want them to
retrieve the pictures they are authorized for (i.e. only the pictures
where the PictureID has been given to them from the database).

I think I could solve my problem by doing the following - (this is
where I think I need help).

If I encrypt the parameter string as follows:

5. On Page2.jsp when the JSP asks the database for a list of all
PictureID's for a given username; at that point on the database returns
the list; when the page gets the list - in Java I call a function to
encrypt the PictureID.

6. When a user clicks on a link; when the servlet get's my encrypted
PictureID; the servlet then decrypts it.

Therefore:

1. Is this reasonable?
2. Am I missing something?
3. Is there a better way to do this?
4. Would you have any suggestions how I might easily encrypt and
decrypt this thing?

Thanks,

Tony
Reply to this Message
Dave Milne - 26 Jun 2005 00:35 GMT
Well, the "proper" way to do it is to only write Page2.jsp, and leave the
rest to "Form based authentication".

The action of the login form is  j_security_check.

Your login html page should look like this:

<form method="post" action="j_security_check">
     <input type="text" name="j_username">
     <input type="password" name="j_password">
</form>

With form based authentication, you define a login and a login error html
file protecting urls  (in this case your page2.jsp).
When you try to invoke page2.jsp, the container will call the login page you
specified automatically.
You find out what the user logged in as using a call to
request.getUserPrincipal() or getRemoteUser();

For a better explanation try here:
http://www.onjava.com/pub/a/onjava/2002/06/12/form.html

This does however leave you a problem as to how you are configuring your
users. You probably have 3 choices - OS authentication (probably a very bad
idea), LDAP Server or a CustomUserRegistry.

If you decide that's all too complicated for now, and you want to go with
what you have already written, then you want to have page1 stick the
username in the session, and have page2 retrieve it from the session to find
out what images to display. That way you are not passing in the username in
the request at all.

Dave Milne, Scotland

> Howdy,
>
[quoted text clipped - 56 lines]
>
> Tony
Reply to this Message
Tony - 26 Jun 2005 00:46 GMT
Dave,

Thanks for answering so quickly.  You've given me quite a bit to think
about - sounds like I was barking up the wrong tree.

I'll look at changing the login stuff.

So if I put the information in the session - it is not visible to the
user if they sniff their own system nor therefore can they change it?

Thanks,

Tony
Reply to this Message
Dave Milne - 26 Jun 2005 01:20 GMT
Yes. Put simply, the way the session works is that the browser passes each
time a "session id"  either in a cookie or in a parameter called jsessionid.
The App Server uses this as a key to identify a collection of data held in
the AppServer. Since the data is held on and never leaves the server
(replication between app servers aside), it isn't easily sniffable.

Check out the HttpSession documentation.

You create a session by doing myRequest.getSession(true);
You store attributes in it by doing mySession.setAttribute("key","value")
and retrieve values by doing mySession.getAttribute("key").

Dave Milne, Scotland

> Dave,
>
[quoted text clipped - 9 lines]
>
> Tony
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.