1

How do I obscure the values of fields used in url strings in a spring mvc web app?

For example, if I want to send the record with recordID=1 into the view, I give the user a hyperlink with the following url: 

https://myapp.com/urlpattern?recordID=1

As you can see, this not only exposes the recordID=1, it also tempts a malicious user to start typing other numbers to mine other records such as recordID=5 or recordID=9.

Does the spring framework or spring security have a built-in way of encrypting url strings? Or do I need to change the id values in the underlying database using hibernate?

The controller code for the above url pattern is: 

@RequestMapping(value = "/urlpattern", method = RequestMethod.GET)
public String processUrlPattern(@RequestParam("recordID") String recordId, 
  HttpServletRequest request, BindingResult result, Map<String, Object> model) {

    Long recId = Long.valueOf(recordId).longValue();
    RecordObject sel_record = this.appService.findRecordById(recId);
    model.put("sel_record", sel_record);
    return "foldername/jspname";
}

Note that all entities in the app inherit from the same BaseEntity whose id-generating code is as follows: 

@Entity
@Inheritance(strategy = InheritanceType.TABLE_PER_CLASS)
@DiscriminatorFormula("(CASE WHEN dtype IS NULL THEN 'BaseEntity' ELSE dtype END)")
@org.hibernate.annotations.DiscriminatorOptions(force=true)
public abstract class BaseEntity {

    @Transient
    private String dtype = this.getClass().getSimpleName();

    @Id 
    @GeneratedValue(strategy=GenerationType.TABLE, generator="TBL_GEN")
    @TableGenerator(
        name="TBL_GEN",
        table="GENERATOR_TABLE",
        pkColumnName = "mykey",
        valueColumnName = "hi",
        pkColumnValue="id",
        allocationSize=20
    )
    protected Integer id;

    //other stuff
}

NOTE: All the users are authenticated/authorized using Spring security. However, the data is very sensitive, and it is important that no one be able to manipulate url strings.

CodeMed
  • 9,527
  • 70
  • 212
  • 364
  • Are users authenticated/authorised using Spring Security? – Mark Mar 11 '15 at 20:49
  • @Mark Yes, users are all authenticated/authorized using Spring Security. – CodeMed Mar 11 '15 at 21:25
  • Are users only meant to have access to specific IDs? – Mark Mar 11 '15 at 21:37
  • @Mark Doesn't matter. They should not be able to manipulate url strings anyway. – CodeMed Mar 11 '15 at 21:53
  • possible duplicate of http://stackoverflow.com/questions/4017757/encode-obfuscate-http-parameters Although not spring specific, the general concept is the same – gregdim Mar 11 '15 at 21:55
  • @grid This is not a duplicate because my question is about spring specifically. Also, my app has already implemented the ssl and authentication suggestions from the answers in the other posting to which you linked. – CodeMed Mar 11 '15 at 22:05
  • 1
    Yes but what is concluded there is that it is not a real security measure, no matter the technology used. You 'd probably better look at ACL in spring security for a proper solution – gregdim Mar 11 '15 at 22:10
  • @grid ACL in spring security is not mentioned in the link that you gave. Yet another reason this posting is NOT a duplicate. One would imagine that there are spring specific versions of any of the general things mentioned in that other posting. And also, this current posting will no doubt attract different respondents at a different time, who may contribute a variety of different perspectives. **THE LINK YOU GAVE IS FOUR YEARS OLD.** – CodeMed Mar 11 '15 at 22:17
  • 1
    I didn't *flag* your question as duplicate if you have noticed. Just made a hint, trying to give some direction on the real concept which is obfuscating url parameters. The rest is implementation details. Some practices live longer than 4 years. – gregdim Mar 11 '15 at 22:36

1 Answers1

1

Use HDIV, it does this out of the box:

http://hdiv.org/hdiv-documentation-single/doc.html

"A6 (Sensitive data exposure) : HDIV offers a confidentially property to all data generated at sever side. That is to say, HDIV replace original parameter values generated at server side by relative values (0,1,2,4, etc.) that avoid exposing critical data to the client side."

Neil McGuigan
  • 46,580
  • 12
  • 123
  • 152