Hi, The advantage of the post parameter is that it can't be viewed by the user in the url. But a attacker can still edit the header and attack the application without much trouble.
To improve security you can validate the parameter properly where you receive the parameter. For example number only or does not contains invalid characters in string for eg, <,>,_ ,/, etc like that. Another good thing will be to implement SSL. Now you can also go to OWASP and download the different security scanners and scan for the security loop holes. Best Regards Vishnu NV -----Original Message----- From: Rahul Mohan [mailto:rahul.mo...@tcs.com] Sent: Thursday, June 03, 2010 8:44 AM To: Struts Users Mailing List Subject: Re: Encrypting parameters Hi, I don't think its a good idea to expose the URLs to the users in a secure application. Avoid GET requests and stick to POST. Also, sticking to request forwarding instead of redirects will keep the URL fixed on the browser's address bar. You might have some issues with back button because of this, but in most business applications this is OK since going back one step in some process is anyways not allowed. Combined with HTTPS this will give you good enough protection against eavesdropping. But, to protect data access, you would still need to enforce some access control on the data based on the user credentials. cheers, Rahul Mohan From: Stephane Cosmeur <cosm...@gmail.com> To: Struts Users Mailing List <user@struts.apache.org> Date: 03-06-2010 08:53 Subject: Encrypting parameters Hello, I would like to improve the security of my web application. My problem is I would like to encrypt the visible parameters in the URL to prevent user to change it to access data he should not see. At start i thought the simple attribute encode of s:url will work for what i need, but it's not the case. Then i don't believe a such useful feature is implemented in struts 2. So what is the best solution to perform it ? I was thinking to an interceptor which unencrypt each request for each action and a java function which encry the url in each jsp, but i'm not sure it's the good way to do it. Any help would be appreciated ! Regards -- Stéphane Cosmeur =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org