java Spring MVC 在 GET 上隐藏 url 参数
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16258426/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring MVC hiding url parameters on GET
提问by devdar
I have a page that does a redirect to another page however a parameter is passed in the redirect. In the Controller there is a url mapping that matches the url with a GET method. The get method takes the parameter and sets values on the display. The url looks like this:
我有一个页面可以重定向到另一个页面,但是在重定向中传递了一个参数。在控制器中有一个 url 映射,它使用 GET 方法匹配 url。get 方法接受参数并在显示器上设置值。网址如下所示:
http://localhost:1234/appName/pageName.htm?recNo=123
However it is very easy for the user to change the parameter value from 123 to any value and then refresh the page. Once the recNo the user enters is valid and the page is refreshed the data will be displayed. I want to allow the user to only be able to view the record for the recNo that was passed. I do not want the user to be able to modify the parameter in the url.
但是,用户很容易将参数值从 123 更改为任何值,然后刷新页面。一旦用户输入的 recNo 有效并且页面被刷新,数据将被显示。我想让用户只能查看传递的 recNo 的记录。我不希望用户能够修改 url 中的参数。
What is the best approach to handling this in Spring MVC? The method must be a GET aftr the page is redirected.
在 Spring MVC 中处理这个问题的最佳方法是什么?该方法必须是页面重定向后的 GET。
回答by Akshay
If you're request must be GET.. it means it must be stateless. It should not rely on what the user did in the last request, which also means that all the information required for the GET request to be executed properly should be contained within the GET request.
如果您的请求必须是 GET .. 这意味着它必须是无状态的。它不应该依赖于用户在上次请求中做了什么,这也意味着正确执行 GET 请求所需的所有信息都应该包含在 GET 请求中。
With that in mind, the only way to pass information in the URL is by making it a part of the URI, or as a URL parameter.
So either /app/product/123or /app/product?id=123
考虑到这一点,在 URL 中传递信息的唯一方法是将其作为 URI 的一部分,或作为 URL 参数。因此,无论/app/product/123或/app/product?id=123
This exposes the URL to possible security vulnerability where the user can manipulate the id in the url,
这将 URL 暴露给可能的安全漏洞,用户可以在其中操作 url 中的 id,
There are two solutions:
有两种解决方案:
Implement a more robust system in the backend to check that the id referenced in the GET url is associated / allowed for the user who is trying to access the URL. Basically be more explicit and deliberate about asserting your security constraints. This method will fail if your users are unauthenticated users. (No login needed).
The second solution is to expose an encrypted and encoded version of the id in the url. You should use a two way encryption though. So when the POST request completes, it encrypts and encodes the id and appends it to the subsequent GET request. When the GET request is received you decode and decrypt the url parameter to get the real id and show appropriate content. This method basically implies that it would be very difficult for a user to manipulate an ecrypted parameter such that it could be decrypted to produce a valid number. I often use AES encryption and Base 64 encoding.
在后端实施一个更强大的系统,以检查 GET url 中引用的 id 是否关联/允许尝试访问 URL 的用户。基本上要更加明确和深思熟虑地断言您的安全约束。如果您的用户是未经身份验证的用户,则此方法将失败。(无需登录)。
第二种解决方案是在 url 中公开 id 的加密和编码版本。不过,您应该使用双向加密。因此,当 POST 请求完成时,它会对 id 进行加密和编码,并将其附加到后续的 GET 请求中。当收到 GET 请求时,您解码和解密 url 参数以获取真实 ID 并显示适当的内容。这种方法基本上意味着用户很难操纵加密参数以使其可以被解密以产生有效数字。我经常使用 AES 加密和 Base 64 编码。
Hope this helps.
希望这可以帮助。
回答by Bassem Reda Zohdy
if you are redirecting to page in the same application you can store this info in session use @SessionAtrribute
如果您重定向到同一应用程序中的页面,您可以在会话使用中存储此信息 @SessionAtrribute
回答by Shivam
Assumption: If it is not mandatory to use "get" method.
假设:如果不是强制使用“get”方法。
I think, you can hide the parameters in URL by using "post" method , instead of "get" method.
我认为,您可以使用“post”方法而不是“get”方法来隐藏 URL 中的参数。
In HTML form, you can add method="post" . Below is the example:
在 HTML 表单中,您可以添加 method="post" 。下面是示例:
<form action="hello" method="post">
<input type="text" name="name" /> <br>
<input type="submit" title="Submit">
</form>
