Yep. Basically while your html UI is there to 'help' the user send the right parameters in the request you cant ever rely on it to do so. It is quite technically possible for the data to be sent to you some other way (and this could be legitimate - for example someone using HttpClient to write an tool to automate something that is normally done through your html ui), so basically you have to be prepared to validate any requests and associated parameters that come in, and not rely on the form or html to have done this for you (except as a convienience in terms of useability). You need to check any data sent to your app before using it to make sure it isnt going to break the app.
In terms of security and hacking you need to make use of traditional methods. Sessions and url hiding alone dont ensure security (someone with a packet sniffer could sniff the sessionId and hijack the session with spoofed packets), etc... For proper security you need SSL of course - which means that the contents of the request are encrypted between server and browser. -----Original Message----- From: shankarr [mailto:[EMAIL PROTECTED] Sent: Tuesday, 27 January 2004 18:32 To: Struts Users Mailing List Subject: Re: constant url Hi! I guess, I have to agree with you on this. Thanks to all for the help. Richie At 10:03 AM 1/27/2004 +0100, you wrote: >Hi Shankarr > >Your best choice will be frames...that way you can hide the details of your >navigation to the end user. > >But frames has some disadvantages, too....It is somehow a pro/con situation >where you have to decide if you can live with request parameters or not... > >Regarding the "hacker-threat"...hmm manu sites use request parameters...and >there are other ways to make the site secure... > >Hope that did help > >----- Original Message ----- >From: "shankarr" <[EMAIL PROTECTED]> >To: "Struts Users Mailing List" <[EMAIL PROTECTED]> >Sent: Tuesday, January 27, 2004 9:47 AM >Subject: RE: constant url > > > > Hi! > > > > Thanks for the response. > > http://localhost:8081/log4jdemo/loginScreen.do is what I see in my url. > > I would like to keep this a constant at http://localhost:8081/log4jdemo >only. > > I am using both a href and html:link. > > > > But, even in cases where i use direct action like /loginScreen.do, on > > invoking the action, i.e clicking a button, > > i get the full path in the url. > > > > This exposes the data to the hackers and will be a big issue in >deployment. > > > > Any help will be appreciated. > > > > Richie > > > > > > > > At 04:14 PM 1/27/2004 +0800, you wrote: > > >If you want to stop the 'ugly' urls showing in the address bar of the > > >browser, you can have all the contents of the site show in a frame, whose > > >frameset is found at the url you want to show. > > > > > >-----Original Message----- > > >From: Claus Weng Madsen - TELMORE [mailto:[EMAIL PROTECTED] > > >Sent: Tuesday, 27 January 2004 15:53 > > >To: Struts Users Mailing List > > >Subject: SV: constant url > > > > > > > > >Hi > > > > > >If you are using a <a href> or <html:link> you cannot hide the > > >parameters. > > > > > >The url you'r using should be the path configured in the struts-config. > > > > > >Med venlig hilsen > > > > > >Claus Weng Madsen, Teamleder > > >TELMORE A/S > > >Carl Gustavsgade 3, 2630 Taastrup > > >Telefon 70218700, Mobil 30242875 > > >www.telmore.dk > > > > > > > > >-----Oprindelig meddelelse----- > > >Fra: shankarr [mailto:[EMAIL PROTECTED] > > >Sendt: 27. januar 2004 07:53 > > >Til: [EMAIL PROTECTED] > > >Emne: constant url > > > > > > > > >hi! > > >whenever i click on any link, my url shows the action name and the > > >parameters being passed. > > >i want to avoid showing this. > > >how to do it? > > > > > >Richie > > > > > >"To achieve all that is possible, one must attempt the impossible" > > > > > > > > > > > >--------------------------------------------------------------------- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > >--------------------------------------------------------------------- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > >--------------------------------------------------------------------- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > "To achieve all that is possible, one must attempt the impossible" > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] "To achieve all that is possible, one must attempt the impossible" --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
