Spring MVC在GET上隐藏URL参数
[英]Spring MVC hiding url parameters on GET
问题描述
I have a page that does a redirect to another page however a parameter is passed in the redirect. 
我有一个页面可以重定向到另一个页面,但是在重定向中传递了一个参数。 In the Controller there is a url mapping that matches the url with a GET method. 在Controller中,存在一个URL映射,该映射将URL与GET方法匹配。 The get method takes the parameter and sets values on the display. get方法采用参数并在显示屏上设置值。 The url looks like this: 网址看起来像这样:
http://localhost:1234/appName/pageName.htm?recNo=123
However it is very easy for the user to change the parameter value from 123 to any value and then refresh the page. 但是,用户将参数值从123更改为任何值然后刷新页面非常容易。 Once the recNo the user enters is valid and the page is refreshed the data will be displayed. 一旦用户输入的recNo有效,并且页面刷新,将显示数据。 I want to allow the user to only be able to view the record for the recNo that was passed. 我想允许用户只能查看已通过的recNo的记录。 I do not want the user to be able to modify the parameter in the url. 我不希望用户能够修改url中的参数。
What is the best approach to handling this in Spring MVC? 在Spring MVC中处理此问题的最佳方法是什么? The method must be a GET aftr the page is redirected. 该方法必须是页面重定向后的GET。
3 个解决方案
解决方案1
3 已采纳 2013-04-28 03:48:59
如果您要重定向到同一应用程序中的页面,则可以在会话中使用@SessionAtrribute将此信息存储
解决方案2
3 2013-04-29 12:12:48
If you're request must be GET.. it means it must be stateless. 如果您的请求必须是GET ..,则意味着它必须是无状态的。 It should not rely on what the user did in the last request, which also means that all the information required for the GET request to be executed properly should be contained within the GET request. 它不应该依赖于用户在上一个请求中所做的事情,这也意味着,正确执行GET请求所需的所有信息都应包含在GET请求中。
With that in mind, the only way to pass information in the URL is by making it a part of the URI, or as a URL parameter. 考虑到这一点,在URL中传递信息的唯一方法是使其成为URI的一部分或作为URL参数。 So either /app/product/123 or /app/product?id=123 所以/app/product/123或/app/product?id=123
This exposes the URL to possible security vulnerability where the user can manipulate the id in the url, 这会将网址暴露给可能的安全漏洞,用户可以在其中操纵网址中的ID,
There are two solutions: 有两种解决方案:
Implement a more robust system in the backend to check that the id referenced in the GET url is associated / allowed for the user who is trying to access the URL.
在后端实施一个更强大的系统,以检查GET URL中引用的ID是否与尝试访问URL的用户相关联/允许。 Basically be more explicit and deliberate about asserting your security constraints. 基本上,在声明安全约束方面要更加明确和谨慎。 This method will fail if your users are unauthenticated users. 如果您的用户是未经身份验证的用户,则此方法将失败。 (No login needed). (无需登录)。 The second solution is to expose an encrypted and encoded version of the id in the url.
第二种解决方案是在URL中公开ID的加密和编码版本。 You should use a two way encryption though. 不过,您应该使用两种方式进行加密。 So when the POST request completes, it encrypts and encodes the id and appends it to the subsequent GET request. 因此,当POST请求完成时,它将对ID进行加密和编码,并将其附加到后续的GET请求中。 When the GET request is received you decode and decrypt the url parameter to get the real id and show appropriate content. 收到GET请求后,您可以解码和解密url参数以获得真实ID并显示适当的内容。 This method basically implies that it would be very difficult for a user to manipulate an ecrypted parameter such that it could be decrypted to produce a valid number. 此方法基本上意味着用户很难操作加密的参数,以便可以对其进行解密以生成有效数字。 I often use AES encryption and Base 64 encoding. 我经常使用AES加密和Base 64编码。
Hope this helps. 希望这可以帮助。
解决方案3
0 2018-06-16 13:20:39
Assumption: If it is not mandatory to use "get" method. 假设:如果不是强制使用“ get”方法。
I think, you can hide the parameters in URL by using "post" method , instead of "get" method. 我认为,您可以使用“ post”方法而不是“ get”方法来隐藏URL中的参数。
In HTML form, you can add method="post" . 以HTML形式,您可以添加method =“ post”。 Below is the example: 下面是示例:
<form action="hello" method="post">
<input type="text" name="name" /> <br>
<input type="submit" title="Submit">
</form>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.