• Post Reply Bookmark Topic Watch Topic
  • New Topic

Encrypting servlet names

 
Gary Larson
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We are running a secure Java Struts application on WebSphere using servlets, so the URLs in our application are things like:

http://localhost:9080/myApp/quotes.do
http://localhost:9080/myApp/orders.do
http://localhost:9080/myApp/users.do

etc, etc.

I have seen in programs such as PayPal, Online Banking, WebSphere Portal etc that the servlet and action names are encrypted to appear meaningless to the user.
Is there a "standard" way of implementing this without changing all your action mappings in the struts config XML?

So instead of...

http://localhost:9080/myApp/quotes.do

.. the user will see something like this...

http://localhost:9080/myApp/khatv8hZ9AQmIXzcyZhxHO3QCh7UpL2kcTWf7NDeG8iRAzJrrCKsH2BIKtfPDYGluSVfdNKRkn5hKyjCZ4n7fEEVb2HDMN7IgJ6T

... or similar?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65530
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To what end?
 
Gary Larson
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:To what end?


What do you mean?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65530
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why would you want to do that?

Those values aren't encrypted servlet names, but single-use values that relate to some action that only someone sent the URL could know. For example to respond to a sign-up verification, or a password change request sent to an email address.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65530
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
With regards to how to deal with them, they aren't generally part of the servlet path, but rather extra path info that can be retrieved from the URL with methods on HttpServletRequest.
 
Gary Larson
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Why would you want to do that?

Those values aren't encrypted servlet names, but single-use values that relate to some action that only someone sent the URL could know. For example to respond to a sign-up verification, or a password change request sent to an email address.


We had a situation where customers were experimenting with address names because they are in plain English and accidentally "stumbled" across a valid one.
I've since secured all our URLs, but if there's a way to make them long and essentially "messy" I think it's a step towards stopping people playing around with URLs.

So I take it you're not aware of such a thing, or you're saying it isn't possible?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65530
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Gary Larson wrote:We had a situation where customers were experimenting with address names because they are in plain English and accidentally "stumbled" across a valid one.
I've since secured all our URLs, but if there's a way to make them long and essentially "messy" I think it's a step towards stopping people playing around with URLs.

Generally known as "security through obscurity", and not well-regarded as a security measure. Your approach of making sure that proper authorization -- making sure that no one can do anything they are not supposed to -- on the server is a vastly superior approach.

So I take it you're not aware of such a thing, or you're saying it isn't possible?

I'm saying it's not an effective security measure and I wouldn't bother.
 
margaret gillon
Ranch Hand
Posts: 335
6
Linux Tomcat Server Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Generally known as "security through obscurity"


Bear, I like the rhyme. It describes a few companies I have worked at. The companies think that burying software in obscure sub-directories on the network will stop casual users from accessing it and so the companies never create logins for the software.

It this a problem seen with web sites as well ? Would a novice web developer, or someone managing a static site, think that by having files in sub folders the folders are safe from spiders that might explore the site?
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Unfortunately, this approach is all too commonly used, and not just by beginners. Hence the need to give it a name :-) Luckily, people are starting to get better educated about security - not least because of all attacks happening all over the web, NSA included - so it is becoming rarer, and less acceptable.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65530
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What Ulf said!

margaret gillon wrote:
The companies think that burying software in obscure sub-directories on the network will stop casual users from accessing it and so the companies never create logins for the software.

Sad -- I'd say that's criminally negligent!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!