Re: URL Rewriting

Wed, 13 Jun 2012 01:51:23 -0700 

Kiran Badi wrote:

Hi All,

For some of the functionality, I have url in the below format

http://localhost:8080/mysite/getmyservice.do?id=17
What I was looking for is to hide the id part of the url and just show something like 

http://localhost:8080/mysite/getmyservice.do#
Is this hack possible with tomcat 7.011 or 7.027 or I need to write some filter to do this?
I have Tomcat 7.027 on win 7 home premium and url is generated via servlet/jsp. 



Kiran,

Why does that "id=17" visible in the URL bother you ?
Is it because of some security aspect ? (that the user could change it, and get something else than what they should be getting ?)
1) If that is the case, then the basic logic of your application is flawed. If this is information that really needs to be sent by the browser to the server, then the browser must have that information. And if that information originally comes from the server and is sent to the browser, then there is /nothing/ that you can do to block some user from playing around with it, before sending it back to the server. If you do not want the user to be able to play around with some information, then don't send it to him in the first place.
2) if the browser /must/ send some information to the server as part of the URL, then there is /nothing/ that can be done on the server side, to stop the browser showing this information in the URL bar. 

To illustrate this :
- imagine that the server sends a page to the browser, and this page contains a 
link like :
<a href="http://localhost:8080/mysite/getmyservice.do?id=my-very-secret-information";>click here</a>
Then the user, just by moving his mouse above "click here", sees the content of that link at the bottom of his screen, in the status bar, right ? 
And the user can right-click on "click here", and choose "copy link location".
And then the user can open another browser window, and paste this URL in the 
URL bar.
And then the user can modify this link before hitting the return button, so that the link now looks like 
http://localhost:8080/mysite/getmyservice.do?id=some-other-information
right ?
And all this happens in the browser, /before/ the server even sees this browser 
request.
So what could the server do ?



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to