Kiran Badi wrote:
Hi All,
For some of the functionality, I have url in the below format
http://localhost:8080/mysite/getmyservice.do?id=17
What I was looking for is to hide the id part of the url and just show
something like
http://localhost:8080/mysite/getmyservice.do#
Is this hack possible with tomcat 7.011 or 7.027 or I need to write some
filter to do this?
I have Tomcat 7.027 on win 7 home premium and url is generated via
servlet/jsp.
Kiran,
Why does that "id=17" visible in the URL bother you ?
Is it because of some security aspect ? (that the user could change it, and get something
else than what they should be getting ?)
1) If that is the case, then the basic logic of your application is flawed. If this is
information that really needs to be sent by the browser to the server, then the browser
must have that information. And if that information originally comes from the server and
is sent to the browser, then there is /nothing/ that you can do to block some user from
playing around with it, before sending it back to the server.
If you do not want the user to be able to play around with some information, then don't
send it to him in the first place.
2) if the browser /must/ send some information to the server as part of the URL, then
there is /nothing/ that can be done on the server side, to stop the browser showing this
information in the URL bar.
To illustrate this :
- imagine that the server sends a page to the browser, and this page contains a
link like :
<a href="http://localhost:8080/mysite/getmyservice.do?id=my-very-secret-information">click
here</a>
Then the user, just by moving his mouse above "click here", sees the content of that link
at the bottom of his screen, in the status bar, right ?
And the user can right-click on "click here", and choose "copy link location".
And then the user can open another browser window, and paste this URL in the
URL bar.
And then the user can modify this link before hitting the return button, so that the link
now looks like
http://localhost:8080/mysite/getmyservice.do?id=some-other-information
right ?
And all this happens in the browser, /before/ the server even sees this browser
request.
So what could the server do ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org