Hi Instead of putting the parameter in the link to the servlet you can put it in a hidden input field in a form that you submit with the POST method, and catch it with doPost(). That way it's invisible to the user; though it's not as safe as the sessions approach that Michael Weller suggested since the user always can check the source code of the html page.
Jonas Nordling ----- Original Message ----- From: "Michael Weller" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 20, 2001 7:54 PM Subject: Re: Security Related Question > hi, > why don't you simply work with the session mechanism provided by the servlet > api to keep a list of documents the current user may view or to keep > information about the user to check if he shall be allowed to view the > requested document. > > hope this helps! > > -mw > > ----- Original Message ----- > From: "Michael Wills" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, November 20, 2001 4:59 PM > Subject: Security Related Question > > > > First, to qualify myself, I am relatively new to java. I am a RPG > programmer > > by trade. > > > > We have web application (purchased) that does it's own document > distribution > > that. However in our environment, we are somewhat modifying it to adapt to > > our evironment, but let it handle the front end security. We distribute > PDF > > versions of reports via the intranet. We place each companies documents in > > seperate folders then when we want them to see the reports. BTW, we are > > testing this, it is not in production. I have a servlet written, that will > > display the contents of the directory. We hard code the parameter into a > > link to the servlet. But now we are wondering how secure it really has to > > be. Right now, if the user figures out our directory structure, they can > get > > to any report. This is not good. > > > > Anyone have ideas as to how to secure the directory listing so they cannot > > see other companies? Would encrypting the parameters work? > > > > Mike Wills > > AS400 Programmer > > [EMAIL PROTECTED] > > > > Comming soon to a web browser near you... koldark.net > > > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > > > ___________________________________________________________________________ > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > body > > of the message "signoff SERVLET-INTEREST". > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > Resources: http://java.sun.com/products/servlet/external-resources.html > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
