Home > Archive > Java Help > August 2005 > Hide URL inside a JSP page.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Hide URL inside a JSP page.
|
|
| sarath 2005-08-18, 4:04 am |
| I am developing a sample java application, where a signed applet sends
some data from client using showDocument() method,( which pass the data
using get method). The data gets submitted to a JSP page(in my program,
mypage.jsp) and and after doing some operations, i pass the request to
another JSP page(in my program, another.jsp).
Now the problem is, the data i send by showDocument() is shown in the
browser address bar, like,
http://localhost:8080/demoBank/mypa...r1=123&par2=444 .
is there any way so that, when the request reaches the first
jsp(mypage.jsp),i can modify the request URL and pass the request to
another.jsp, so that when the contents are dispayed on the browser, the
URL wont be dispayed ?
i know about the openConnection() option where you can post the
request. But our system requires that it should be showDocument()
instead of openConnection.
Please help me
Thanks in advance
sarath
| |
| Shorty 2005-08-18, 4:04 am |
| If you don't want the parameters to appear in the address bar, you'll
need to return a page to the browser which automatically POSTs to the
new .jsp.
You can take all the parameters you receive in the first jsp, put them
in hidden fields in the page you return, and add an onload attribute to
that page's body to submit the form automatically.
Drawback is it will replace the page that was displayed and the user
will have a blank page while waiting for the second jsp to return a
page (you might want to had some text in the page to make the user
wait);
However all that doesn't stop the parameters from being shown for a
while during the request submissions to the jsp...
| |
| Andrew Thompson 2005-08-18, 4:04 am |
| On 18 Aug 2005 00:52:45 -0700, sarath wrote:
> I am developing a sample java application, where a signed applet sends
> some data from client using showDocument() method,( which pass the data
> using get method). The data gets submitted to a JSP page(in my program,
> mypage.jsp) and and after doing some operations, i pass the request to
> another JSP page(in my program, another.jsp).
Are you doing this all within a single web page, or in
a group of 'new/_blank' or 'pop-up' windows?
This web application is already seriously flawed.
- Attempting to treat HTML as other than a stateless,
single track process.
- Using (or depending on) showDocument()
- (possibly) breaking the 'back' button.
> Now the problem is, ..
No. I doubt you have even begun to realise the
problems this design faces. It will be a support
nightmare when customers armed with the latest
Service Pack or pop-up blocker ask why 'nothing
happens' in the web-app.
> ..the data i send by showDocument() is shown in the
> browser address bar, like,
>
> http://localhost:8080/demoBank/mypa...r1=123&par2=444 .
>
> is there any way so that, when the request reaches the first
> jsp(mypage.jsp),i can modify the request URL and pass the request to
> another.jsp, so that when the contents are dispayed on the browser, the
> URL wont be dispayed ?
No. Long answer, nope.
What's more, a lot of end users consider that to be rude.
To solve this problem properly, we first need to examine
your design. To do that, we need to know not what your are
doing, or trying to do, but what you are trying to *achieve*.
So, what is this entire process? What is the end aim of
this series of information exchanges?
Why do you feel the need to hide *anything* from the end user?
--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"I am a traveller of both time and space, to be where I have been.."
Led Zeppelin 'Kashmir'
| |
| sarath 2005-08-18, 6:00 pm |
| Thanks for the reply everyone...
All i am trying to do is passing some details that i got from user,
like, his voice sample, and trying to pass it to the server through a
secure channel.
And there is no question of pop-up menu or anything... showDocument()
is a method where in, i can establish a connection to the server
program, so that i will be able to pass the response back from the
server to another webpage rather than the applet itself, after
processing the request....
lets say, i gave a voice sample, and that voice sample is made as a
template and is send to the server. I am using showDocument() for it,
because, after i get the voice sample in the server, i should pass the
control to another JSP.
If i am using openConnection(), then, the response of the server will
go back to the applet.. i dont want that to happen.. rather, i want to
pass the control to a jsp.
and i want to hide the template from the user, because i dont want
to show the user, my implmentation details or what parameters i am
passing to the jsp.
would you please tell me what is the di vantage of using
showDocument() ???
and what are the flaws associated with this method ?
regards
sarath
Andrew Thompson wrote:
> On 18 Aug 2005 00:52:45 -0700, sarath wrote:
>
>
> Are you doing this all within a single web page, or in
> a group of 'new/_blank' or 'pop-up' windows?
>
> This web application is already seriously flawed.
> - Attempting to treat HTML as other than a stateless,
> single track process.
> - Using (or depending on) showDocument()
> - (possibly) breaking the 'back' button.
>
>
> No. I doubt you have even begun to realise the
> problems this design faces. It will be a support
> nightmare when customers armed with the latest
> Service Pack or pop-up blocker ask why 'nothing
> happens' in the web-app.
>
>
> No. Long answer, nope.
>
> What's more, a lot of end users consider that to be rude.
>
> To solve this problem properly, we first need to examine
> your design. To do that, we need to know not what your are
> doing, or trying to do, but what you are trying to *achieve*.
>
> So, what is this entire process? What is the end aim of
> this series of information exchanges?
>
> Why do you feel the need to hide *anything* from the end user?
>
> --
> Andrew Thompson
> physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
> "I am a traveller of both time and space, to be where I have been.."
> Led Zeppelin 'Kashmir'
| |
| Andrew Thompson 2005-08-18, 6:00 pm |
| On 18 Aug 2005 02:58:12 -0700, sarath wrote:
Please refrain from top-posting, instead put your comment
straight after what you are replying to, and trim anything
you are *not* replying to..
<http://www.physci.org/codes/javafaq.jsp#netiquette>
> All i am trying to do is passing some details that i got from user,
> like, his voice sample, and trying to pass it to the server through a
> secure channel.
OK, so you are needing to transport a significant amount
of audio data (5-30Kb minimum?) over a secure connection.
Not something that can be done from a plain web page.
Thanks for clarifying that much.
> ...I am using showDocument() for it,
> because, after i get the voice sample in the server, i should pass the
> control to another JSP.
Why another JSP? Why not show the result in the
original applet (CardLayout, (J)ScrollPane, JTabbedPane..)?
What does the other JSP show? What does it do?
>...and i want to hide the template from the user, because i dont want
> to show the user, my implmentation details or what parameters i am
> passing to the jsp.
Please expand on what you mean by "don't want to show"
- the user should not bookmark this URL, or it will break things
- the URL is a trade secret, it contains vital information
- the URL looks ugly
- the user can break the web-app if they hit the 'back' button..
Try to be specific not about *what* you want, but
*why* you want it.
But to inject a thought here, it sounds as though a Swing
application, which can provide everything your applet
currently does, and possibly much more, would be better,
as it can probably also display the 'result' back from
your JSP.
Whether you would want to send a JSP back to the Swing
application is questionable though, since you now have much
more choice of exactly what form to send the information from
the server back to the client.
Also - what is this overall application?
What is it, what does it do?
[ Getting information from some folks is like pulling
teeth. ;-) ]
> would you please tell me what is the divantage of using
> showDocument() ???
It cannot be trusted to work..
<http://groups-beta.google.com/group...d45163fc01cdf59>
> and what are the flaws associated with this method ?
- applets. Anything an applet can do, can be done by
an application. Applications are far easier to develop
and deploy, esecially when you are needing to do things
that reuire a signed jar, such as you are.
- Attempting to obscure the URL in a browser. You are
fighting against what the browser is trying to do, which
is jeep the user informed about what is happening.
- Not realising that any attempt to hide URL's from anybody
that really wants to know them, is pointless.
HTH
--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"..because you're mine."
Screamin' Jay Hawkins 'I Put A Spell On You'
| |
| Andrew Thompson 2005-08-18, 6:00 pm |
| On Thu, 18 Aug 2005 10:45:06 GMT, Andrew Thompson wrote:
> On 18 Aug 2005 02:58:12 -0700, sarath wrote:
>
> It cannot be trusted to work..
> <http://groups-beta.google.com/group...d45163fc01cdf59>
#$%# Google! ..sorry. That URL points to the thread I started,
but there seems no way to get to the seminal post in the thread
from Grant Wagner (you can see his name on the left, but it
does not link to his words).
Here is Grant's assessment.
<http://groups.google.com.au/group/c...dd4e9b5f2408ec9>
In a few words 'IE SP2 kills showDocument'.
...to add to that.
As time goes on, more and more browser makers, pop-up
blocker makers, and even the makers of general internet
plug-in tools - will be offering the option to cancel
the ability of Java applets to make any use of
showDocument() at all.
--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"I'll sing and I'll be merry when occasion I do see.."
Steeleye Span 'All Around My Hat'
| |
| sarath 2005-08-18, 6:00 pm |
| i have to do some security check.. that is why i dont want to show the
user the url.. it is dealing with some security... and i dont want
anyone to know the implementation details... even i dont want to post
it in the group.
(There are some teeth that dont come out...) ;-)
sarath
| |
| Andrew Thompson 2005-08-18, 6:00 pm |
| On 18 Aug 2005 05:37:02 -0700, sarath wrote:
> i have to do some security check.. that is why i dont want to show the
> user the url.. it is dealing with some security...
Using a 'sniffer'[1] the user can see all network traffic
from their machine (as is their right).
[1] <http://www.google.com/search?q=definition+sniffer>
> (There are some teeth that dont come out...) ;-)
I do not think there is enough 'flouride' in your security measures.
--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"Everybody's groovin' to their own song."
Josh Abrahams/Amiel Daemion 'Addicted to Bass'
| |
|
|
"sarath" <mesarath@gmail.com> wrote in message
news:1124351565.797268.8590@g14g2000cwa.googlegroups.com...
> I am developing a sample java application, where a signed applet sends
> some data from client using showDocument() method,( which pass the data
> using get method). The data gets submitted to a JSP page(in my program,
> mypage.jsp) and and after doing some operations, i pass the request to
> another JSP page(in my program, another.jsp).
> Now the problem is, the data i send by showDocument() is shown in the
> browser address bar, like,
>
> http://localhost:8080/demoBank/mypa...r1=123&par2=444 .
>
> is there any way so that, when the request reaches the first
> jsp(mypage.jsp),i can modify the request URL and pass the request to
> another.jsp, so that when the contents are dispayed on the browser, the
> URL wont be dispayed ?
>
Well you could use a POST instead of the GET, the user will see
http://localhost:8080/demoBank/mypage.jsp in it's URL bar and then you'll
modify your jsp so that it will show an error or will redirect you to the
right page when the parameters are ommited or GET is used.
| |
| Oliver Wong 2005-08-18, 6:00 pm |
| "Andrew Thompson" <SeeMySites@www.invalid> wrote in message
news:kx57vippb9xw$.1crxkytw7rlmc$.dlg@40tude.net...
> On 18 Aug 2005 05:37:02 -0700, sarath wrote:
>
>
> Using a 'sniffer'[1] the user can see all network traffic
> from their machine (as is their right).
>
> [1] <http://www.google.com/search?q=definition+sniffer>
Perhaps you could generate a new one-time URL for every authenticated
user (e.g. myUrl.jsp?key=857902735975345). The "myUrl.jsp" page just checks
the key and if it is valid, reads directly from the source URL itselt, and
sends the data to the user, so the user never finds out what the source URL
is.
This may or may not solve your problem, as your problem is kind of vague
(what kind of information could an attacker gleem from just the URL, which
can always just arbitrarily to any other URL?)
- Oliver
| |
|
|
"jAnO!" <j.groot@donotspam.kpn.com> wrote in message
news:de21tf$fap$1@hdxl22.telecom.ptt.nl...
>
> "sarath" <mesarath@gmail.com> wrote in message
> news:1124351565.797268.8590@g14g2000cwa.googlegroups.com...
>
> Well you could use a POST instead of the GET, the user will see
> http://localhost:8080/demoBank/mypage.jsp in it's URL bar and then you'll
> modify your jsp so that it will show an error or will redirect you to the
> right page when the parameters are ommited or GET is used.
>
Better still, just implement a basic model view controller arhitecture , and
let your controller servlet do the work.
| |
| sarath 2005-08-18, 6:00 pm |
| if i add some ssl,encryption and ecoding, will it increase the security
? if still some one can hack through it, what is the best way to avoid
it ?
sarath
| |
|
|
"jAnO!" <j.groot@donotspam.kpn.com> wrote in message
news:de221r$fmo$1@hdxl22.telecom.ptt.nl...
you'll[color=darkred]
the[color=darkred]
>
> Better still, just implement a basic model view controller arhitecture ,
and
> let your controller servlet do the work.
>
The url shown will be of the controller servlet, when you forward a request
from a servlet to a jsp, the url of the jsp won't show in de browsers URL
bar.
So :
public class MyServlet extends HTTPServlet {
public void doPost(HttpServletRequest req, HttpServletResponse res) {
RequestDistpatcher view = req.getRequestDispatcher("mypage.jsp");
view.forward(req,res);
}
public void doGet(HttpServletRequest req, HttpServletResponse res) {
RequestDistpatcher view = req.getRequestDispatcher("error.jsp");
view.forward(req,res);
}
}
| |
| sarath 2005-08-18, 6:00 pm |
| >Better still, just implement a basic model view controller arhitecture ,
>and let your controller servlet do the work.
The request is going to the server, through an applet which is embedded
inside a web page, using showDocument()...... it is not getting
submitted using the usual submit() method of the page. That is my core
problem. I am grabbing some input from user by using the applet and i
want to pass it to the server.
as far as my knowledge, there are 2 methods of doing that.
1. showDocument() which will send the request using get() method
2. openConnection() which will send the request using post() method
if i am using the openConnection(), the response from the servlet will
come back to the applet.
but if i use the showDocument(), the response from servlet can go to
another page specified by the server side program, but the complete
query string will be shown in the browser address bar. It looks ugly
and it feels like it is a bit unsecure. So i want to hide that URL.
I guess you got my problem now..
regards
sarath
| |
|
|
"sarath" <mesarath@gmail.com> wrote in message
news:1124373135.231100.195920@g43g2000cwa.googlegroups.com...
>
> The request is going to the server, through an applet which is embedded
> inside a web page, using showDocument()...... it is not getting
> submitted using the usual submit() method of the page. That is my core
> problem. I am grabbing some input from user by using the applet and i
> want to pass it to the server.
> as far as my knowledge, there are 2 methods of doing that.
> 1. showDocument() which will send the request using get() method
> 2. openConnection() which will send the request using post() method
>
> if i am using the openConnection(), the response from the servlet will
> come back to the applet.
>
> but if i use the showDocument(), the response from servlet can go to
> another page specified by the server side program, but the complete
> query string will be shown in the browser address bar. It looks ugly
> and it feels like it is a bit unsecure. So i want to hide that URL.
>
> I guess you got my problem now..
>
Then you should put your parameters as attributes on a session and redirect
the request from the server to the jsp, the browser will display the url of
the jsp and not the parameters.
| |
| sarath 2005-08-18, 6:00 pm |
| No that is not the solution.. the applet's results are there in the
client.. there is no way i can access servlet's session from the
client.
sarath
| |
|
|
"sarath" <mesarath@gmail.com> schreef in bericht
news:1124377819.600843.79270@g14g2000cwa.googlegroups.com...
> No that is not the solution.. the applet's results are there in the
> client.. there is no way i can access servlet's session from the
> client.
>
You don't understand:
applet > servlet (put parameters as attributes in session)> redirect to
other jsp (and get attributes from the session)
| |
| Shorty 2005-08-19, 4:20 pm |
| IMHO, that still won't stop the parameters from showing in the browser
address bar before the redirection takes place, so it cannot be a
solution.
Point is anything you do on the server won't change anything as long as
you use showDocument (and therefore GET), because the parameters show
in the address bar before any redirection can happen...
|
|
|
|
|