• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

how to avoid browser parameter values?

 
Ranch Hand
Posts: 261
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
in one of my jsp page, we used logic:iterate tag with "edit", "remove", and "view list" like the following .


when I click on edit link on any one record, in the browser i see

with the value (schoolListId=5) and if anyone make change on browser with another number instead 5 and press enter, then automatically the corresponding record edit page is displayed and he can do edit page which is absolutely wrong.

Is there any way to avoid parameter through browser? actually I tried with method post but no use.

could some one give me solution .
 
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

actually I tried with method post but no use.


No use ? Why ? What went wrong ?
 
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by sumant kuchipudi:
when I click on edit link on any one record, in the browser i see

with the value (schoolListId=5) and if anyone make change on browser with another number instead 5 and press enter, then automatically the corresponding record edit page is displayed and he can do edit page which is absolutely wrong.



This isn't really a problem of the users being able to change the parameter values from the URL locator. It is more of an authorization issue. If the record is something this user shouldn't be seeing, you should be checking that and disallowing him from seeing. So even if he does try to change the value into something else and attempts to browse it, your application logic will determine that he is not authorized to view/edit that record and stop him from doing so.

You're trying to solve the issue in a wrong manner.
 
Simpson Kumar
Ranch Hand
Posts: 261
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks Chengwei Lee;

Now Im just verifying that schoollistid is corresponding to the current user or not. if not, just throwing a exception on him and a message.

ok this solution is good, but i think its not right solution. Can we avoid that browser parameter in any other way?

I used struts logic:iterate and put the parameters from there, I dont know why post is not working
I put method=post but still the browser displaying the parameter.
 
Ranch Hand
Posts: 193
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Look like this is an open issue with <html:link> tag, that only HTTP GET is supported.

JIRA issue

What you could try as an alternative to <html:link> is to define a form with POST and add hidden fields with the id and trigger the submit of the form with javascript when the edit link is clicked [ ]
 
Chengwei Lee
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

ok this solution is good, but i think its not right solution. Can we avoid that browser parameter in any other way?



Why do you think this is not the right solution? Your problem here lies in that the user is able to access records not he is not supposed to. So this is an authorization problem, isn't it?

Even if you are able to use HTTP POST, there is no stopping someone who is determined enough to alter the values of the parameters. They just need to capture the request and alter the values. So regardless of using GET or POST, it doesn't stop someone from changing the parameter values.
 
Simpson Kumar
Ranch Hand
Posts: 261
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi Lee,
you are absolutely right, we must follow the authorization in order to avoid the changing request parameters from browser. I think I will keep my solution as it is.

thank you very much for your time and replies.
 
There is no beard big enough to make me comfortable enough with my masculinity to wear pink. Tiny ad:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic