Re: Securing URL Parameters
Damian Krzeminski wrote: Dennis Sinelnikov wrote: Dear Fellow Tapestriers :), I need to implement an EngineService that will return a specific file living on a filesystem. I need to pass a parameter in the url that specifies which file to return. I've searched the tapestry list serve archives for an elegant solution, but nothing really caught my eye. My initial thought was to do a one-way hash of the file and pass it via the parameter in the url; when the url comes back the service would "replicate" the process by comparing the hashes of all the files and see which one matches; the one matches return to the user. I'm curious to see what others are doing in securing urls from malicious users. Sample code or any suggestions are greatly appreciated. Thanks, Dennis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] I was looking for elegant solution for that problem as well. I ended up doing something similar to AssetService, which is I guess what you are trying to do as well. The code is here: http://scm.sipfoundry.org/rep/sipX/main/sipXconfig/web/src/org/sipfoundry/sipxconfig/components/DownloadService.java http://scm.sipfoundry.org/rep/sipX/main/sipXconfig/web/src/org/sipfoundry/sipxconfig/components/DownloadLink.java It's in subversion repository - you can get entire project from here: http://scm.sipfoundry.org/rep/sipX/main/sipXconfig If anybody comes up with something better I'd like to know that. Damian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Thanks Sam and Damian. I guess the answer was right in front of my nose the whole time. ;) -Dennis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Securing URL Parameters
Dennis Sinelnikov wrote: Dear Fellow Tapestriers :), I need to implement an EngineService that will return a specific file living on a filesystem. I need to pass a parameter in the url that specifies which file to return. I've searched the tapestry list serve archives for an elegant solution, but nothing really caught my eye. My initial thought was to do a one-way hash of the file and pass it via the parameter in the url; when the url comes back the service would "replicate" the process by comparing the hashes of all the files and see which one matches; the one matches return to the user. I'm curious to see what others are doing in securing urls from malicious users. Sample code or any suggestions are greatly appreciated. Thanks, Dennis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] I was looking for elegant solution for that problem as well. I ended up doing something similar to AssetService, which is I guess what you are trying to do as well. The code is here: http://scm.sipfoundry.org/rep/sipX/main/sipXconfig/web/src/org/sipfoundry/sipxconfig/components/DownloadService.java http://scm.sipfoundry.org/rep/sipX/main/sipXconfig/web/src/org/sipfoundry/sipxconfig/components/DownloadLink.java It's in subversion repository - you can get entire project from here: http://scm.sipfoundry.org/rep/sipX/main/sipXconfig If anybody comes up with something better I'd like to know that. Damian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Securing URL Parameters
I don't usually send the filename hashed. I merely include a hash of the parameter that was created with a secret seed. At the other end, I can determine if the payload was messed with by seeing if the parameters match the hash of the params. This makes life a lot easier to debug, is pretty secure (although someone who guesses your seed can make you do anything they want), and makes it easier on the server end, since you don't have to maintain a map of hash values to file paths. Any request that fails the hash test just gets sent an error page. --sam On 12/6/06, Dennis Sinelnikov <[EMAIL PROTECTED]> wrote: Dear Fellow Tapestriers :), I need to implement an EngineService that will return a specific file living on a filesystem. I need to pass a parameter in the url that specifies which file to return. I've searched the tapestry list serve archives for an elegant solution, but nothing really caught my eye. My initial thought was to do a one-way hash of the file and pass it via the parameter in the url; when the url comes back the service would "replicate" the process by comparing the hashes of all the files and see which one matches; the one matches return to the user. I'm curious to see what others are doing in securing urls from malicious users. Sample code or any suggestions are greatly appreciated. Thanks, Dennis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Securing URL Parameters
Dear Fellow Tapestriers :), I need to implement an EngineService that will return a specific file living on a filesystem. I need to pass a parameter in the url that specifies which file to return. I've searched the tapestry list serve archives for an elegant solution, but nothing really caught my eye. My initial thought was to do a one-way hash of the file and pass it via the parameter in the url; when the url comes back the service would "replicate" the process by comparing the hashes of all the files and see which one matches; the one matches return to the user. I'm curious to see what others are doing in securing urls from malicious users. Sample code or any suggestions are greatly appreciated. Thanks, Dennis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
