CODEWITHSUNDEEP
springspring-mvcspring-security
CodeMed
CodeMed

Reputation: 9189

obscuring url strings in spring mvc

How do I obscure the values of fields used in url strings in a spring mvc web app?

For example, if I want to send the record with recordID=1 into the view, I give the user a hyperlink with the following url: 

https://myapp.com/urlpattern?recordID=1

As you can see, this not only exposes the recordID=1, it also tempts a malicious user to start typing other numbers to mine other records such as recordID=5 or recordID=9.

Does the spring framework or spring security have a built-in way of encrypting url strings? Or do I need to change the id values in the underlying database using hibernate?

The controller code for the above url pattern is: 

@RequestMapping(value = "/urlpattern", method = RequestMethod.GET)
public String processUrlPattern(@RequestParam("recordID") String recordId, 
  HttpServletRequest request, BindingResult result, Map<String, Object> model) {

    Long recId = Long.valueOf(recordId).longValue();
    RecordObject sel_record = this.appService.findRecordById(recId);
    model.put("sel_record", sel_record);
    return "foldername/jspname";
}

Note that all entities in the app inherit from the same BaseEntity whose id-generating code is as follows: 

@Entity
@Inheritance(strategy = InheritanceType.TABLE_PER_CLASS)
@DiscriminatorFormula("(CASE WHEN dtype IS NULL THEN 'BaseEntity' ELSE dtype END)")
@org.hibernate.annotations.DiscriminatorOptions(force=true)
public abstract class BaseEntity {

    @Transient
    private String dtype = this.getClass().getSimpleName();

    @Id 
    @GeneratedValue(strategy=GenerationType.TABLE, generator="TBL_GEN")
    @TableGenerator(
        name="TBL_GEN",
        table="GENERATOR_TABLE",
        pkColumnName = "mykey",
        valueColumnName = "hi",
        pkColumnValue="id",
        allocationSize=20
    )
    protected Integer id;

    //other stuff
}

NOTE: All the users are authenticated/authorized using Spring security. However, the data is very sensitive, and it is important that no one be able to manipulate url strings.

Upvotes: 1

Views: 449

Answers (1)

Neil McGuigan
Neil McGuigan

Reputation: 48246

Use HDIV, it does this out of the box:

http://hdiv.org/hdiv-documentation-single/doc.html

"A6 (Sensitive data exposure) : HDIV offers a confidentially property to all data generated at sever side. That is to say, HDIV replace original parameter values generated at server side by relative values (0,1,2,4, etc.) that avoid exposing critical data to the client side."

Upvotes: 1

Related Questions