> The __fp and _sourcePage values are encrypted as of Stripes 1.5 unless you
> have Stripes.DebugMode turned on in your web.xml.
I did... lol
>You can use @Validate(encrypted=true) to have form values encrypted when
>written out and automatically decrypted when read back in for binding.
Yep, we are using this where applicable (hidden fields). I'm trying to encrypt
(or otherwise alter) the parameter names as well as the values, and have
stripes still see them the way it normally would.
> use a regular <form> tag and inside that put a <stripes:form> with the
> "partial" attribute turned on
Hmm I will have to try that out. I don't think validation / repopulation will
still work right, but I will try. Either way as long as the values are
encrypted I think I can probably live with it.
>There's nothing in Stripes to help much with combining multiple request
>parameters into one. You're on your own there.
Ok, good to get confirmation from you on that. We'll see if we can come up
with anything half decent.
Thanks Ben.
From: Ben Gunter [mailto:bgun...@cpons.com]
Sent: Tuesday, September 27, 2011 12:33 PM
To: Stripes Users List
Subject: Re: [Stripes-users] Cleaning up / shrinking / obfuscating query string
parameters?
The __fp and _sourcePage values are encrypted as of Stripes 1.5 unless you have
Stripes.DebugMode turned on in your web.xml.
You can use @Validate(encrypted=true) to have form values encrypted when
written out and automatically decrypted when read back in for binding.
As for getting rid of the __fp and _sourcePage parameters for a GET request,
I'm not sure I've ever done this, but it might work. When you write your form
into the HTML, use a regular <form> tag and inside that put a <stripes:form>
with the "partial" attribute turned on. I think that would eliminate those
special elements while still allowing for form repopulation, etc.
There's nothing in Stripes to help much with combining multiple request
parameters into one. You're on your own there.
-Ben
On Tue, Sep 27, 2011 at 11:33 AM, Newman, John W
<newma...@d3onc.com<mailto:newma...@d3onc.com>> wrote:
All,
Up to this point our application has used method="POST" for every form. In
general we're not too big on using GET due to the long messy URLs and people
being able to save or share requests that may or may not work the same all the
time for everyone.
For user experience reasons, we're looking at converting the "read only" forms
to GET like they probably should have been in the first place. When you go
back to a POST, firefox does a nice job of just giving you a simple confirm
message box. Click yes and you're back at the results of the post. But
reasons I don't understand, IE8 went crazy and re-did this: Send post, click
back, get a white "page is expired" page (looks like an error), click refresh,
get a message box, click retry, finally back at your results. It's a lot of
reading, mouse movement, and clicks just to go back and repost. The average
user gets lost and confused throughout this sequence and sees it as a bug on
our end.
If I just change the method to GET it works fine, but the URL is extremely
long. It has the fp and sourcePage parameters in there which shows things like
WEB-INF and other things I'd rather not have that visible. Why aren't those
sourcePage and fp parameters encrypted?
That aside, in order to switch this to get I'd like to do a couple things if I
can:
1). Rewrite the query string from ?a=1234&b=2345=c=3456 to something like
?q=6vhHABS59OP0ILkMJsL7yY5t== . ... and the stripes side should still see the
parameters as "a & b & c", as it did before, no perceivable change from its
perspective
2). Add a some tokens into the GET to keep track of when it was submitted and
by whom so we can potentially block out old or unexpected requests.
#2 is not a big deal, we can do that fairly easily through a subclass of the
form tag and an interceptor. #1 however, I'm not really sure how to go about
it. I'm not 100% but I don't think the /clean/urls/feature can solve this as
the form is kind of dynamic and has anywhere from 1-15 fields in the query. It
wouldn't translate to a restful URL. Does stripes offer anything 'out of the
box' that I can take advantage of? I feel like I am missing something.
So far the best I can come up with is to put a servlet filter before the
stripes filter that takes the "q" parameter, decodes it, and rewrites the
getParameter() pieces to look into here instead. Unfortunately this requires
using HttpServletRequestWrapper, and due to no multiple inheritance, I have to
literally copy a few pieces out of the servlet implementation we are currently*
using. So obviously that is a poor solution and I'm not going to do that.
Also, I'm not really sure how to encrypt the parameter on the client side. I
can hook into the form.submit() piece using jquery, but any encryption I put in
there is client visible and can be broken. Might I be able to hook into the
form tag or something, or is just pointless base64 encoding the best I can do
here?
Thanks for any input.
-John
John W. Newman
Programmer
5750 Centre Avenue, Suite 500
Pittsburgh, PA 15206
Tel 412-204-0116<tel:412-204-0116>
newma...@d3onc.com<mailto:newma...@d3onc.com>
www.d3onc.com<http://www.d3onc.com/>
Fax 412-365-0749<tel:412-365-0749>
This e-mail may contain confidential information of the sending organization.
Any unauthorized or improper disclosure, copying, distribution, or use of the
contents of this e-mail and attached document(s) is prohibited. The information
contained in this e-mail and attached document(s) is intended only for the
personal and confidential use of the recipient(s) named above. If you have
received this communication in error, please notify the sender immediately by
e-mail and delete the original e-mail and attached document(s).
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net<mailto:Stripes-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/stripes-users
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
