how to encrypt/encode url parameters in jsp

前端 未结 4 950
南笙
南笙 2021-01-21 04:53

I want to encrypt a URL variable so that the user can\'t see or modify the information when it is passed in jsp.

This is an example URL:

localhost/somew         


        
相关标签:
4条回答
  • 2021-01-21 05:24

    URLEncoder.encode(Encryption.encrypt(parameters), "UTF-8")

    0 讨论(0)
  • 2021-01-21 05:25

    Your question became solvable the moment we knew that you are 'sending this url as attachment in email... when receiver click on this link their payslip is confirmed'

    That means there are 3 options: encrypting, hashing and using random string(s).

    In this case I recommend the random strings (or hashing) instead of encrypting. The reason is 2-fold:

    • You are not sending out potentially private data (for google gmail to read, for example)
    • random string(s) (or hashing) is simpler, shorter and safer (for this case).

    Assuming you have a database containing your user-data, then you'd generate a unique random string (or hash) for that specific user/transaction. Then you store this data (you could hash it again internally) together with or linked to your user-data.

    Now you only send out the link with the random string(s)/hash that is uniquely linked to the user-data.

    Have a look on SO for https://stackoverflow.com/search?q=[jsp]+hash
    and please, for the love of [enter deity here], be sure you read Wikipedia about 'salt' etc.!!
    You do not want to make mistakes with user-payments!

    Now, make a choice, set it up and return with questions should you get stuck!

    EDIT:
    In fact.. instead of hashing, a completely 'random' (fixed length) unique string(s) is sufficient! Better yet: or two random strings, for a two-factor check: one string for identification, one for authentication.

    0 讨论(0)
  • 2021-01-21 05:37

    Always use POST method.

    And even in POST method, user can see the id and can change it in browser console network tab.So that, user can see other's email attachment since you mentioned in your comment like that.

    So, try to set id in jsp session and get the id in the java servlet code. it is really good practice.

    0 讨论(0)
  • 2021-01-21 05:39

    The best way to encode / decode in Base64 without using any third party libraries, you can use Using sun.misc.BASE64Encoder / sun.misc.BASE64Decoder.

    try  this snippet 
    
    
    
      String id="1234";
      byte[]   bytesEncoded = Base64.encodeBase64(id.getBytes());//encoding part
      String encoded_id=new String(bytesEncoded);
    
    
      String id1=request.getParameter("id");
      byte[] valueDecoded= Base64.decodeBase64(id1);//decoding part
      String decoded_id=new String(valueDecoded);
    

    Send 'encoded_id' as a url parameter instead of passing 'id'

    0 讨论(0)
提交回复
热议问题