Win a copy of Spring Boot in Practice this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

how to bypass url parameters?

 
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am trying to give a link to a crystal report in my jsp file.The crystal report accesses a database.Hence in my url i am passing the username and password for the database.(different from the user loign)ex: http://myurl.com?user0=myuser&password0=mypwd
I don't want the user to see this.Is there any other way of passing this data(say put them in cfg file and call them in this url). like user0=mybean etc
If not is there any way of disabling the user from seeing the userid and password?(both when the user points the mouse on the link and when the view source is selected from the browser menu)
TIA
 
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
try setting them as attributes of the session
 
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I think U R using get method(<form method=get> )that'swhy
U see the userid and password.U'll use post method then
U can't see the userid and password.
<form method=post action="">
....
If I'm wrong ..correct me
 
Ranch Hand
Posts: 4716
9
Scala Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i agree the problem is you are doing a "get" rather than a "post"
get passes parameters in the url post passes them in the body of the request
 
Saloon Keeper
Posts: 25852
184
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I VERY STRONGLY urge you NOT to pass user IDs and passwords to the client system. There are any number of simple tools out there (including the "view source" browser option) that can be used to find out what they are and cause mischief. You're better off keeping these items as session variables so that they never leave the server.
 
Ranch Hand
Posts: 5040
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim:
I agree with you 100 %. Also, if you have observed something here...
my url i am passing the username and password for the database
I maybe guessing, but once these are known, I think it would also be possible to write a JDBC program to access the DB.
Am I right?
(Technically speaking, not that I would attempt it.... )
- satya
 
Kameswari Jyosyula
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
right guys,
i share ur concern regd the client being able to access the db.So what we did is a sort of workaround - we created a db with guest as user and pwd and and gve that user very limited privileges and also the new db has nothing sensitive.thus avoided the userid and pwd of the db itself.ofcourse we are using the post method
thanks
 
Madhav Lakkapragada
Ranch Hand
Posts: 5040
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
ofcourse we are using the post method
FYI...
still there is a possibility of looking up
the uname and passwd if you are sending it
to the client say view source. Even
Hidden fields can be seen.
regds.
- satya
 
Tim Holloway
Saloon Keeper
Posts: 25852
184
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
"I maybe guessing, but once these are known, I think it would also be possible to write a JDBC program to access the DB.
Am I right?"
Once you know the username and password, you can do anything you want in any language you want! Sure jdbc applets get constrained by the Java sandbox, firewalls may intervene, the userID might have read-only privileges, but these are just details.
Actually, if the userID and password were really a special limited account just for the web browser, I'd just hard-code them into the JSP/Servlet and never send them out or store them at all! Why bother if the actual user's ID is immaterial?
reply
    Bookmark Topic Watch Topic
  • New Topic