Grails: encrypt query params, use hashing to encrypt/decrypt the params in url and hidden fields

Question

I'm working on grails app. When do get request (to show one entity for example) the id of that entity will be shown in the url in browser For security issues, I'm trying to encrypt the id in the url. any idea how I can hashing the id/or any params in grails.

http //url/controller/action/3
http //url/controller/action/08eab7690d2a6ee69

I'm wondering if something already built that would allow to encrypt/decrypt the query params in grails.

Also is it possible if we can apply the encryption/decryption mechanism in the URLMapping file, any idea ?

Thanks in advance

V H · Accepted Answer · 2017-04-25T14:48:11.137

0

Basically no you need to make your own encryption/decryption methods. Can I ask why you are trying to encrypt it. Is it because You have this scenario ?

http://url/controller/id1
http://url/controller/id2

And therefore the reason for your encryption would be to stop others from browsing other requests if so there are other alternatives to encryption. As an example I am working on something similar but instead of all the overhead of encryption I have made it so if id is provided it must also provide the username for that id

http://url/controller/id1?username=username
http://url/controller/id1?username=username2

When i get ID i also check if there is a username params and if username matches id username - this then stops others from being to troll through the links

If you still wish to encrypt let me know and I can provide some more guidance

def MyController {
  def index() {
     if (params.id) {
        params.id=Md5Helper.translate(params.id)
     }
  }
}

in src/groovy/main/{package}/Md5Helper.groovy

class Md5Helper.groovy {

   //return deconverted string into Long value
   public static Long translate(String input) {
     //do your md5 decryption here
      if (result.isNumber()) {
         return result as Long
      }
      return 0L
   }

   //override so when default Long is sent just return it
   public static Long translate(Long input) {
      return input
   }

}

CompileStatic the helper class if above grails 2.4 and job done

Moving away from md5 encryption and using proper internal encryption / decryption with a key that you can change making it un-encryptable by end user refer to https://github.com/vahidhedayati/md5id/

edited Apr 25 '17 at 14:48

answered Apr 20 '17 at 10:50

V H

8,382
2
28
48

Thanks for your reply, actually the requirement here for security reasons, is to not show the id itself in url, but the encrypted value http://url/controller/id1 ==>> http://url/controller/(encypted id) so, the user will be not aware of the real id but he sees the encrypted id instead – Hanan Atallah Apr 20 '17 at 10:57
how encrypted do you need things to be - there is basic decryptable encryption I think it was md5 of the string that you can decompile but so can user - or there is full on encryption which requires a key to then decrypt – V H Apr 20 '17 at 11:01
md5 is good enough, how I can apply in grails (view/controller) ? – Hanan Atallah Apr 20 '17 at 11:08
http://www.tothenew.com/blog/encode-content-to-md5-using-groovy-or-grails-with-webhook-example/ http://www.avajava.com/tutorials/lessons/how-do-i-generate-an-md5-digest-for-a-string.html should help you out I am convinced i have a much easier way will look it up and update with another comment if i do locate it later another one https://gist.github.com/ikarius/299062/85b6540c99878f50f082aaee236ef15fc78e527c – V H Apr 20 '17 at 11:16
Thanks very much! – Hanan Atallah Apr 20 '17 at 11:21
I'm wondering if we can apply the md5 encryption/decryption in the URLMapping file, any idea ? - I updated the question above as well – Hanan Atallah Apr 24 '17 at 09:38
/08eab7690d2a6ee69 is still treated as params.id by grails and it is then up to you to write that deconversion process. You need a helper class that statically updates the id for you will update my answer – V H Apr 24 '17 at 09:46
so I have to use in each controller/action in all project ? – Hanan Atallah Apr 24 '17 at 10:04
Depending on how you have written your code, you could introduce a centralised controller that all other controllers extend and does this work and in a private method, still means you have to call it and this is rather an ugly way to resolve the issue. I would suggest using Validation beans and having a master/base validation class that auto-magically converts id back and all your controller actions then use validation beans which all then extend the basevalidation class that does this. Ultimately you are reworking how grails works with params.id element – V H Apr 24 '17 at 10:28
Example github.com/vahidhedayati/md5id updated id gets auto binded – V H Apr 26 '17 at 13:27
Thanks much. I apply the suggested fix in my app. I used the encoded id as transient in the domain and do the decode in the controller so nothing will be done inside the views. – Hanan Atallah May 01 '17 at 06:29
cool that's probably even smarter than suggested example in project. Unsure if you ended up using the suggested method to encrypt/decrypt as per md5id example. Noticed all objects for id 1 has same encryption, a revisit needed to look at this.getClass() or Class.simpleName. If you wanted me to try to expand on the example site I can take a look later today - Also thinking about it when doing transient id conversion does this not mean you need to replicate it across all domain objects if so possibly worth looking at abstract class that does it oncethis that the rest extend, updates in1 place – V H May 01 '17 at 13:36

Grails: encrypt query params, use hashing to encrypt/decrypt the params in url and hidden fields

1 Answers1