the URL a link points to has to be known to the browser and so is inevitably visible to a user.
I think the only thing you can do about this, is to obfuscate a link by using some kind of dynamically generated pseudo URL. Still at least the hostname of the target would still be known to the user.
What's the point in hiding the URL?
posted 10 years ago
Thanks Marco for your interest .
i cannot use pseudo because the parameters are from the database which are added by the user like username .
and i want to hide the URL for security i cannot let the user to change the username parameter from the URL and view his or her data without login first .
notice that i receive those parameters from another application coded by ASPX which get them from the database
although I don't have very detailed information about your project this sounds to me like you're trying to establish something like a user sessions by adding user credentials as parameters to URLs. I think this "authentication mechanism" is not very secure, regardless if the user sees a link to change the parameters or uses other tools to inject the parameter he wants.
Why don't you use the usual session handling mechanism of Java web applications, i.e. session cookies or unique session IDs in the URL? This way the Servlet container can take care of user authentication and authorisation which also prevents a user to access a protected URL without a valid session (after his login).
Or maybe I just don't understand your requirements. What exactly does the said ASPX application do? Does it log into your application using the user name and password as URL parameters? Then another way to communicate would probably be more appropriate.
Hiding the URL will provide no measure of security. The end user will easily be able to see the parameters using any number of network and browser tools. And unless you are using SSL, the information is passed in clear text over the network where anyone can see it.
If you are concerned with security (as you should be), then taking real security measures is necessary. Hiding the URL isn't one of them.