The __fp and _sourcePage values are encrypted as of Stripes 1.5 unless you
have Stripes.DebugMode turned on in your web.xml.
You can use @Validate(encrypted=true) to have form values encrypted when
written out and automatically decrypted when read back in for binding.
As for getting rid of the __fp and _sourcePage parameters for a GET request,
I'm not sure I've ever done this, but it might work. When you write your
form into the HTML, use a regular <form> tag and inside that put a
<stripes:form> with the "partial" attribute turned on. I think that would
eliminate those special elements while still allowing for form repopulation,
etc.
There's nothing in Stripes to help much with combining multiple request
parameters into one. You're on your own there.
-Ben
On Tue, Sep 27, 2011 at 11:33 AM, Newman, John W <newma...@d3onc.com> wrote:
> All,****
>
> ** **
>
> Up to this point our application has used method=”POST” for every form. In
> general we’re not too big on using GET due to the long messy URLs and people
> being able to save or share requests that may or may not work the same all
> the time for everyone.****
>
> ** **
>
> For user experience reasons, we’re looking at converting the “read only”
> forms to GET like they probably should have been in the first place. When
> you go back to a POST, firefox does a nice job of just giving you a simple
> confirm message box. Click yes and you’re back at the results of the post.
> But reasons I don’t understand, IE8 went crazy and re-did this: Send post,
> click back, get a white “page is expired” page (looks like an error), click
> refresh, get a message box, click retry, finally back at your results. It’s
> a lot of reading, mouse movement, and clicks just to go back and repost.
> The average user gets lost and confused throughout this sequence and sees it
> as a bug on our end.****
>
> ****
>
> If I just change the method to GET it works fine, but the URL is extremely
> long. It has the fp and sourcePage parameters in there which shows things
> like WEB-INF and other things I’d rather not have that visible. Why aren’t
> those sourcePage and fp parameters encrypted?****
>
> ** **
>
> That aside, in order to switch this to get I’d like to do a couple things
> if I can:****
>
> ** **
>
> 1). Rewrite the query string from ?a=1234&b=2345=c=3456 to something like
> ?q=6vhHABS59OP0ILkMJsL7yY5t== . ... and the stripes side should still see
> the parameters as “a & b & c”, as it did before, no perceivable change from
> its perspective****
>
> 2). Add a some tokens into the GET to keep track of when it was submitted
> and by whom so we can potentially block out old or unexpected requests.***
> *
>
> ****
>
> #2 is not a big deal, we can do that fairly easily through a subclass of
> the form tag and an interceptor. #1 however, I’m not really sure how to go
> about it. I’m not 100% but I don’t think the /clean/urls/feature can solve
> this as the form is kind of dynamic and has anywhere from 1-15 fields in the
> query. It wouldn’t translate to a restful URL. Does stripes offer
> anything ‘out of the box’ that I can take advantage of? I feel like I am
> missing something. ****
>
> ** **
>
> So far the best I can come up with is to put a servlet filter before the
> stripes filter that takes the “q” parameter, decodes it, and rewrites the
> getParameter() pieces to look into here instead. Unfortunately this
> requires using HttpServletRequestWrapper, and due to no multiple
> inheritance, I have to literally copy a few pieces out of the servlet
> implementation we are currently* using. So obviously that is a poor
> solution and I’m not going to do that.****
>
> ** **
>
> Also, I’m not really sure how to encrypt the parameter on the client side.
> I can hook into the form.submit() piece using jquery, but any encryption I
> put in there is client visible and can be broken. Might I be able to hook
> into the form tag or something, or is just pointless base64 encoding the
> best I can do here?****
>
> ** **
>
> Thanks for any input.****
>
> -John****
>
> ** **
>
> * *
>
> *John W. Newman*
>
> *Programmer*****
>
> *[image: Description: Description: Description:
> C:\Users\newmjw\AppData\Local\Microsoft\Windows\Temporary Internet
> Files\Content.Outlook\TKMGHKML\d3via_logo (2).gif]*****
>
> 5750 Centre Avenue, Suite 500****
>
> Pittsburgh, PA 15206****
>
> Tel 412-204-0116****
>
> newma...@d3onc.com****
>
> www.d3onc.com**
>
> Fax 412-365-0749****
>
> ** **
>
> This e-mail may contain confidential information of the sending
> organization. Any unauthorized or improper disclosure, copying,
> distribution, or use of the contents of this e-mail and attached document(s)
> is prohibited. The information contained in this e-mail and attached
> document(s) is intended only for the personal and confidential use of the
> recipient(s) named above. If you have received this communication in error,
> please notify the sender immediately by e-mail and delete the original
> e-mail and attached document(s).****
>
> ** **
>
> ** **
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> Stripes-users mailing list
> Stripes-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
>
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
