Re: Encoding DB primary keys in the URL

Fri, 03 Mar 2006 14:15:19 -0800 

On Friday 03 March 2006 21:03, Sergei Dubov wrote:
> I am worried about the security.
>

Ah - I understand now.

I have done something similar - which I copied from the vlib example 
application. From the source code for v4.0 I users the following as a 
template.

examples/Vlib/src/java/org/apache/tapestry/vlib/services/ViewPageEncoder.java

unfortunately it takes a quick shortcut with the encoding because it uses an 
integer which doesn't get encoded.  I made a different version which did it 
for strings.  My aim was to get the url to be the same as the unsqueezed 
parameter, so I had to unsqueeze the squeezed value in the encoding routine 
and squeezed it in the decoding routine.  I suspect here is a place you could 
do some encoding from the squeezed string.

The encoder is actually unsqueezing

        String[] params = 
encoding.getParameterValues(ServiceConstants.PARAMETER);

        //Since we expect params to be strings, which I want to be seen in the 
URL 
        //We need to unsqueese them
        
        DataSqueezerImpl ds = new DataSqueezerImpl();
        ds.register(new StringAdaptor());
        Object [] urlString = ds.unsqueeze(params);
        
        for (Object param : urlString)
        {
            builder.append("/");
            builder.append(param); //skip the first
        }

        encoding.setServletPath(builder.toString());



and the decoder is squeezing


        String pathInfo = encoding.getPathInfo();

        // Skip the leading slash, then split the rest at each slash and add 
the "S" back in

        String[] params = TapestryUtils.split(pathInfo.substring(1), '/');
        
        DataSqueezerImpl ds = new DataSqueezerImpl();
        ds.register(new StringAdaptor());
        params = ds.squeeze(params);
 
        
        encoding.setParameterValue(ServiceConstants.SERVICE, 
Tapestry.EXTERNAL_SERVICE);
        encoding.setParameterValue(ServiceConstants.PAGE, _pageName);
        encoding.setParameterValues(ServiceConstants.PARAMETER, params);





my guess is that where I use new StringAdaptor(), you could develop your own.


-- 
Alan Chandler
http://www.chandlerfamily.org.uk
Open Source. It's the difference between trust and antitrust.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to