0

In Grails the URL like this 

http://localhost:8080/MyApp/show/2

is there a way to hide or to encrypt the id part 

/2

i need to do this to prevent users to access others data , for instance my ID is 3 , i could access other user's data by typing 

/show/4
grails
  • 67
  • 1
  • 4
  • why you need this? can you provide more details? because it seems that such question could have many possible answers, and none of them will be right – Igor Artamonov Dec 21 '15 at 06:29
  • ok, I see. then encoding, hiding, POST or anything like this will not help. you need security plugin, see spring-security-core plugin – Igor Artamonov Dec 21 '15 at 13:28
  • @IgorArtamonov i tired the **Spring security plugin** , but i found that anyone got the the specified role on the action **@Secure('ROLE_UESR')** can access others data for the same action. – grails Dec 21 '15 at 14:13
  • you need to check actual user or use ACL – Igor Artamonov Dec 21 '15 at 14:14
  • @IgorArtamonov is right you should consider using a security plugin. Since just hiding the url will not protect the data it will only hide the underlying problem. – Omar Yafer Dec 21 '15 at 15:54
  • Is there any available tutorials or examples for using spring ACL ? – grails Dec 21 '15 at 23:14

3 Answers3

0

You can encode the url. If you replace the 2 with %32, the browser will still interpret it as the character 2. Here is a complete list of characters.

red_kb
  • 85
  • 7
0

You can send POST request instead of GET - this is an easy way of hiding such a request parameters f.e. in server log files.

Or you can play with GRAILS codecs.

Michal_Szulc
  • 4,097
  • 6
  • 32
  • 59
  • i made as you suggested `static allowedMethods = [index:['POST', 'GET'],show:'POST']` to send all by POST method but nothing changed – grails Dec 20 '15 at 23:10
  • Please check out these answers: http://stackoverflow.com/questions/8384931/how-to-only-accept-post-variables-in-grails – Michal_Szulc Dec 20 '15 at 23:24
0

I would not hide the ID from the url. Why? because this would only mask the problem.

Consider having a class defined as :

class Post {

String  title
String content
User   user //you need this to keep track of the posts owner
//You could use your own custom class or the one used in spring security

...
}

If you use Spring Security Core, you would use a fucntion similar to:

def springSecurityService


@Secured(['ROLE_USER'])
def myFunction(Long id){
   def postInstance = Post.read(id)

  if(postInstance){
   if (postInstance.user.id ==(long)springSecurityService.principal.id){
     // springSecurityService?.principal?.id retrieves the id of the user in session 
     //... redirect to details of whatever you need
   }else{

     //... redirect because it is not the owner of the post

   }

 } 

else{

  //... Redirect or something
    }  

}

If you are using a simple session you would need to have a function like

def myFunction(Long id){
   def postInstance = Post.read(id)
   long userId = session["user_id"]

  if(postInstance && userId > 0){
   if (postInstance.user.id ==userId){
     //... redirect to details of whatever you need
   }else{

     //... redirect because it is not the owner of the post

   }

 } 

else{

  //... Redirect or something
    }  

}

The logic is very similar. Still in my humble opinion you should use the spring Security plugin.

Omar Yafer
  • 823
  • 6
  • 17