0
votes

I have a page that does a redirect to another page however a parameter is passed in the redirect. In the Controller there is a url mapping that matches the url with a GET method. The get method takes the parameter and sets values on the display. The url looks like this:

http://localhost:1234/appName/pageName.htm?recNo=123

However it is very easy for the user to change the parameter value from 123 to any value and then refresh the page. Once the recNo the user enters is valid and the page is refreshed the data will be displayed. I want to allow the user to only be able to view the record for the recNo that was passed. I do not want the user to be able to modify the parameter in the url.

What is the best approach to handling this in Spring MVC? The method must be a GET aftr the page is redirected.

3
how if you make some validation in your function to ensure that user have right to access that recNo?Daniel Robertus

3 Answers

5
votes

If you're request must be GET.. it means it must be stateless. It should not rely on what the user did in the last request, which also means that all the information required for the GET request to be executed properly should be contained within the GET request.

With that in mind, the only way to pass information in the URL is by making it a part of the URI, or as a URL parameter. So either /app/product/123 or /app/product?id=123

This exposes the URL to possible security vulnerability where the user can manipulate the id in the url,

There are two solutions:

  1. Implement a more robust system in the backend to check that the id referenced in the GET url is associated / allowed for the user who is trying to access the URL. Basically be more explicit and deliberate about asserting your security constraints. This method will fail if your users are unauthenticated users. (No login needed).

  2. The second solution is to expose an encrypted and encoded version of the id in the url. You should use a two way encryption though. So when the POST request completes, it encrypts and encodes the id and appends it to the subsequent GET request. When the GET request is received you decode and decrypt the url parameter to get the real id and show appropriate content. This method basically implies that it would be very difficult for a user to manipulate an ecrypted parameter such that it could be decrypted to produce a valid number. I often use AES encryption and Base 64 encoding.

Hope this helps.

3
votes

if you are redirecting to page in the same application you can store this info in session use @SessionAtrribute

0
votes

Assumption: If it is not mandatory to use "get" method.

I think, you can hide the parameters in URL by using "post" method , instead of "get" method.

In HTML form, you can add method="post" . Below is the example:

<form action="hello" method="post">
    <input type="text" name="name" /> <br>
    <input type="submit" title="Submit">
</form>