1

How do I obscure the values of fields used in url strings in a spring mvc web app?

For example, if I want to send the record with recordID=1 into the view, I give the user a hyperlink with the following url: 

https://myapp.com/urlpattern?recordID=1

As you can see, this not only exposes the recordID=1, it also tempts a malicious user to start typing other numbers to mine other records such as recordID=5 or recordID=9.

Does the spring framework or spring security have a built-in way of encrypting url strings? Or do I need to change the id values in the underlying database using hibernate?

The controller code for the above url pattern is: 

@RequestMapping(value = "/urlpattern", method = RequestMethod.GET)
public String processUrlPattern(@RequestParam("recordID") String recordId, 
  HttpServletRequest request, BindingResult result, Map<String, Object> model) {

    Long recId = Long.valueOf(recordId).longValue();
    RecordObject sel_record = this.appService.findRecordById(recId);
    model.put("sel_record", sel_record);
    return "foldername/jspname";
}

Note that all entities in the app inherit from the same BaseEntity whose id-generating code is as follows: 

@Entity
@Inheritance(strategy = InheritanceType.TABLE_PER_CLASS)
@DiscriminatorFormula("(CASE WHEN dtype IS NULL THEN 'BaseEntity' ELSE dtype END)")
@org.hibernate.annotations.DiscriminatorOptions(force=true)
public abstract class BaseEntity {

    @Transient
    private String dtype = this.getClass().getSimpleName();

    @Id 
    @GeneratedValue(strategy=GenerationType.TABLE, generator="TBL_GEN")
    @TableGenerator(
        name="TBL_GEN",
        table="GENERATOR_TABLE",
        pkColumnName = "mykey",
        valueColumnName = "hi",
        pkColumnValue="id",
        allocationSize=20
    )
    protected Integer id;

    //other stuff
}

NOTE: All the users are authenticated/authorized using Spring security. However, the data is very sensitive, and it is important that no one be able to manipulate url strings.

Improve this question
9
  • Are users authenticated/authorised using Spring Security? Commented Mar 11, 2015 at 20:49
  • @Mark Yes, users are all authenticated/authorized using Spring Security. Commented Mar 11, 2015 at 21:25
  • Are users only meant to have access to specific IDs? Commented Mar 11, 2015 at 21:37
  • 1
    Yes but what is concluded there is that it is not a real security measure, no matter the technology used. You 'd probably better look at ACL in spring security for a proper solution Commented Mar 11, 2015 at 22:10
  • 1
    I didn't flag your question as duplicate if you have noticed. Just made a hint, trying to give some direction on the real concept which is obfuscating url parameters. The rest is implementation details. Some practices live longer than 4 years. Commented Mar 11, 2015 at 22:36

1 Answer 1

Reset to default
1

Use HDIV, it does this out of the box:

http://hdiv.org/hdiv-documentation-single/doc.html

"A6 (Sensitive data exposure) : HDIV offers a confidentially property to all data generated at sever side. That is to say, HDIV replace original parameter values generated at server side by relative values (0,1,2,4, etc.) that avoid exposing critical data to the client side."

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.