URL Encryption
Hi guys!!
I think my prob is a common one, but i dint found any satisfactory answer.
Here its:
We developed a application in JSP mainly, without following MVC(surprisingly). It shows all the URL's and parameters straight forward. Which i am assigned to change, as any one can alter the URL and access things.
Now i want to use any sort of URL Encryption or Encoding. Like most of the standard sites are using some sort of URL encoding so that URL seems non-sense to the users. But i dont have any idea for that. If u guys can help in any way.
I am also interested in knowing, how much of rework will be needed, if any idea, as i mentioned we r not using any MVC, so no Controller :(.
Thanks in advance
***Java File:***
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
public class EncryptionHelper {
private static final String PASS_PHRASE = "passphrase";
public static String encrypt(String msg){
try {
KeySpec keySpec = new DESKeySpec(PASS_PHRASE.getBytes());
SecretKey key = SecretKeyFactory.getInstance("DES").generateSecret(keySpec);
Cipher ecipher = Cipher.getInstance(key.getAlgorithm());
ecipher.init(Cipher.ENCRYPT_MODE, key);
//Encode the string into bytes using utf-8
byte[] utf8 = msg.getBytes("UTF8");
//Encrypt
byte[] enc = ecipher.doFinal(utf8);
//Encode bytes to base64 to get a string
return new sun.misc.BASE64Encoder().encode(enc);
} catch (InvalidKeyException e) {
e.printStackTrace();
} catch (InvalidKeySpecException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (NoSuchPaddingException e) {
e.printStackTrace();
} catch (IllegalStateException e) {
e.printStackTrace();
} catch (IllegalBlockSizeException e) {
e.printStackTrace();
} catch (BadPaddingException e) {
e.printStackTrace();
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
return null;
public static String decrypt(String msg){
try {
KeySpec keySpec = new DESKeySpec(PASS_PHRASE.getBytes());
SecretKey key = SecretKeyFactory.getInstance("DES").generateSecret(keySpec);
Cipher decipher = Cipher.getInstance(key.getAlgorithm());
decipher.init(Cipher.DECRYPT_MODE, key);
// Decode base64 to get bytes
byte[] dec = new sun.misc.BASE64Decoder().decodeBuffer(msg);
//Decrypt
byte[] utf8 = decipher.doFinal(dec);
//Decode using utf-8
return new String(utf8, "UTF8");
} catch (InvalidKeyException e) {
e.printStackTrace();
} catch (InvalidKeySpecException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (NoSuchPaddingException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (IllegalStateException e) {
e.printStackTrace();
} catch (IllegalBlockSizeException e) {
e.printStackTrace();
} catch (BadPaddingException e) {
e.printStackTrace();
return null;
public static String encodeURL(String url){
try {
return URLEncoder.encode(url,"UTF-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
return null;
Now In JSP we can write like this:
<%@page import="EncryptionHelper"%>
<%
String query = "id=101&item=22&conf=12234";
String encoded = EncryptionHelper.encodeURL(EncryptionHelper.encrypt(query));
response.sendRedirect("process.jsp?data="+encoded);
%>
Now it's Easy.. Enjoy
Similar Messages
-
Hi,
I am doing the implementation of video protection in my project. I am using Flash Media Interactive Server 4.5. I am wanted to understand if there is any way we can encrypt the Video (RTMP / HTTP) url in case of Steaming and HTML5 players?
Basically, I referred to one Technical doc from Adobe: http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashmediaserver/pdfs /protecting_video_fms.pdf
as per Pg 7, this can be done using server side scription. Is there any detailed description, reference APIs for the same?
thanks,
KomalHi,
I am doing the implementation of video protection in my project. I am using Flash Media Interactive Server 4.5. I am wanted to understand if there is any way we can encrypt the Video (RTMP / HTTP) url in case of Steaming and HTML5 players?
Basically, I referred to one Technical doc from Adobe: http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashmediaserver/pdfs /protecting_video_fms.pdf
as per Pg 7, this can be done using server side scription. Is there any detailed description, reference APIs for the same?
thanks,
Komal -
If i am using SSL to keep data secure in transmission is the URL encrypted because other wise wouldn't a hacker beable to get the session id from the URL and spoof as the client.
Thanks for any helpThe session id isn't in the url. I don't think you have a problem.
-
OBIEE 11g - Integrating via external corporate website to OBIEE
Hi all -
Unusual challenge, our we offer a hosted application (SaaS) where our users are authenticated on our application. Recently, we've invested in OBIEE 11g and have successfully deployed recommended Oracle Enterprise Deployment. We have a custom security solution (user permissions in Oracle tables, not LDAP), and have not implemented Oracle Identity Mgmt and don't plan to.
We would like to use GoURL / Action Framework to access Report content, dashboard content, content as port lets embedded in an app dashboard to an iFrame.
My Question: can we configure OBIEE to accept just "username" without password in a trusted login scenario? we are trying not to expose password in URL (encrypted or clear text).
We done an exhaustive search to review GoUrl, web service / soap calls, reviewing impersonator passcode techniques (everyone having same pad in initialization block), etc.
Thank you in advance for your most needed responses,There is a good post that lead me on the way to solving this problem here:
http://obiee101.blogspot.com/2010/07/obiee-remove-whole-portalbanner.html
The code he posts won't work for 11g, but it's close.
Paste this code into a text box on each page of your dashboard, make sure you check the box that says "contains HTML"
<script type="text/javascript">
var tds = document.getElementsByTagName('table');
for (var td = 0; td < tds.length; td++) {
if (tds[td].className != 'HeaderTopBar' && tds[td].className != 'HeaderSecondBar' ) {
continue;
if (tds[td].className == 'HeaderTopBar') {
//alert (tds[td].className);
var x = tds[td].parentNode;
//alert (x.className);
x.removeChild(tds[td]);}
if (tds[td].className == 'HeaderSecondBar') {
//alert (tds[td].className);
var x = tds[td].parentNode;
//alert (x.className);
x.removeChild(tds[td]);}
</script> -
How to access servlet objects from OA page controller class
Hi everybody!
I need to put some value into servlet attribute in OA page controller class to read it from ordinary servlet later.
How can i do it? Is it possible to get HttpServletRequest and HttpServletResponse objects from page controller?
Thank you.I have a servlet which receives uploaded files with special attributes (something like tags for file) using POST request.
This attributes created when user open page in standard OAF page via page controller.
On client side I have an applet which uploads user selected file to my servlet and passes this file attributes.
Now this attributes passes as plain text. I want to encrypt this attributes to hide attribute details from user. To do this I need to share some information between OAF page and my servlet.
I know that OAF supports URL encryption, but to decrypt it I should use standard pageContext object.
But in ordinary servlet I can't use it. -
BadPaddingException: Given final block not properly padded
Hi,
Can someone please tell me what's going on??
When I call c.doFinal(byte[]) and the length of my byte array is 512, I get a BadPaddingException. However, when I make the same call and my byte array's length is 504, everything is fine. Both are multiples of 8, so I don't understand why this is happening. Thanks in advance!!!
Colinhere's my jsp code:
<%!
public class Crypto{
Cipher ecipher;
Cipher dcipher;
public Crypto(SecretKey key) throws SecurityException {
try {
ecipher = Cipher.getInstance("DES");
dcipher = Cipher.getInstance("DES");
ecipher.init(Cipher.ENCRYPT_MODE, key);
dcipher.init(Cipher.DECRYPT_MODE, key);
} catch (javax.crypto.NoSuchPaddingException e) {
} catch (java.security.NoSuchAlgorithmException e) {
} catch (java.security.InvalidKeyException e) {
public String encrypt(String str) {
try {
// Encode the string into bytes using utf-8
byte[] utf8 = str.getBytes("UTF8");
// Encrypt
byte[] enc = ecipher.doFinal(utf8);
// Encode bytes to base64 to get a string
return new sun.misc.BASE64Encoder().encode(enc);
} catch (javax.crypto.BadPaddingException e) {
} catch (IllegalBlockSizeException e) {
} catch (UnsupportedEncodingException e) {
} catch (java.io.IOException e) {
return null;
public String decrypt(String str) {
try {
// Decode base64 to get bytes
byte[] dec = new sun.misc.BASE64Decoder().decodeBuffer(str);
// Decrypt
byte[] utf8 = dcipher.doFinal(dec);
// Decode using utf-8
return new String(utf8, "UTF8");
} catch (javax.crypto.BadPaddingException e) {
System.out.println("error 1"+e);
} catch (IllegalBlockSizeException e) {
System.out.println("error 2");
} catch (UnsupportedEncodingException e) {
System.out.println("error 3");
} catch (java.io.IOException e) {
System.out.println("error 4");
return null;
}// end of class crypto
%>
<body>
<%
try{
SecretKey key = KeyGenerator.getInstance("DES").generateKey();
// Create encrypter/decrypter class
Crypto crypto = new Crypto(key);
// Decrypt
System.out.println("@@@@@ pwd from dbase = "+pwd);
String decrypted = crypto.decrypt(pwd);
String encrypted = crypto.encrypt(password);
System.out.println("@@@@@ pwd from url encrypted = "+encrypted);
System.out.println("###### decrypted = "+decrypted);
}catch(Exception e){}
%>
</body> -
Running Forms Https (forms 10g with A/S and webcache)
I'm trying to implement Credit Card processing for applications in our agency. The environment is in the subject. There will be two types of applications that need to process credit cards:
1. Users coming in through our external website running java applications.
2. Internal users running Oracle Forms (against another App Svr deployment)
I'll be using a payment gateway accessible via a web service to authorize the card. I can talk to this via a java w/s client proxy w/o a problem. Here's the problem though:
I've been told that when forms are running https, ALL forms running on the application server, regardless of application will now be running https. I'd like the Credit Card entry Oracle Form to be running https, but don't see how this affects all the other forms in our environment (hundreds of them). Can't one screen (http) call a CC screen (this one only running https), and they can enter the card into that? From the reading I've done this should be possible.
I'm not the Application Server admin. This is what I've been told, and I cannot configure the environment. I've been told that Forms will now have to call a JSP CC entry screen that I write and that screen would now invoke the web service. Of course, my concern is that the oracle form and the jsp screen are now asynchronous, and one won't be able to tell when the other is done (unless I poll on the form, or go the route of PJCs and javascript - I've seen an article for this already --- HOWEVER, this was shot down as well.)
My question boils down to:
1. Can I run all my other forms http, and then this CC screen https (via a web.show_document), and then it can hit the web service directly via a java imported client proxy rather than me writing extra methods, and another screen/conf page that's specific to forms users?
[I need to run forms https since the default 40-bit encryption is not enough.]
Here are my related questions/threads to this one:
Forms Client Side Encryption and invoking external Secure Service via URL
Forms Client Side Encryption and invoking external Secure Service via URL
encrypting creditcard for "in-transit"
encrypting creditcard for "in-transit"
loadjava sunrsasign.jar
loadjava sunrsasign.jar
As always, help is very much appreciated, and a very big thannks for any answers/suggestions.
EricEric,
You may want to ask your question in the App Server forum. -
How to encrypt UserID and Password in HTTP url
Hello experts,
We want to encrypt UserID and Password which has used in http URL in SAP PI 7.1.
As we have used SOAP adapter with Transport Protocol HTTP for sender server.
Kindly help us on it.
Regards,
Poonam.Hi,
please go through below blog,
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b04408cc-f10e-2c10-b5b7-af11026b2393?QuickLink=index&overridelayout=true
please go through below threads,
SOAP Envelope with user id password
Soap ---to ----file scenario
regards,
ganesh. -
Encrypt the username and Password in URL
Hi
My requirement is to encrypt the Password in the URL.
http://Server_name/analytics/saw.dll?NQUser=Administrator&NQPassword=*Administrator*.
Here My URL should look like this.
http://Server_name/analytics/saw.dll?NQUser=Administrator&NQPassword=*encrypted password*.Hi in what situation you need this?, actually this is not a good practice to expose the user name and password over the URL. Better to force the user to login and then continue.
If the user already logged in and while clicking you need to do a navigation then no need of passing username or password.
Edited by: Ugser on Sep 7, 2009 8:08 AM -
How to encrypt Password while calling Portal URL from Abap
Hi all,
My requirement is to call portal from R/3 4.6C. As part of it I'm calling Portal URL along with user id & Password by using the FM CALL_BROWSER. The problem here is User ID & Password are visible everyone in the URL.
Is there any way that I can encrypt sothat it doesn't become a security issue?
I really appreaciate for your help.
Thanks
Seshucan you please mention the abap code by which you are sending the username and password to a portal via url.....
are you able to log on to the portal...please share your code ......
Edited by: Ashutosh Shukla on Apr 18, 2008 9:17 AM -
Hi,
I am taking an online class. I need to asses this URL address and I dont know why I am not able to connect now, it is telling me there is an error. That the connection is not encrypted? Not sure what that means. However have been able to connect to this link since
Monday 7/11 till now! The only thing I did this morning was clear my history and cookies. I am not sure if this had anything to do with this. Please help me correct this problem, for I need to be able to access this link for my class. ThanksYes. It works for me as well. So it looks that they corrected the problem.
I see a very large image of 3,564.59 KB (3,650,138 bytes) that is scaled down 2,048px × 3,072px (scaled to 65px × 75px).
That is usually not a good idea as that requires to download that image.<br />
Firefox is also not very good at scaling down images, but with such a large reduction that probably wouldn't matter. -
How to encrypt the document number in URL
Hi All,
I am working on a project where I need to send a URL to the user in his email, the URL contains the document number in it. when the user clicks on that URL a webdynpro application will open with data prepopulated based on the document number, now what I want his how can encrypt the document number in the URL when sending it to the user. so basically the user who gets the URL should not be able to see the document number in the URL.
Please advise.
Thanks,
Rajat GargThanks again for the reply and now I am able to encrypt and decrypt my document number... one more question please : will it be possible to chnage the whole URL to some basic message type URL for eg:
let's say our URL is "http://testdoc/post?mssg" and I want to change this to as "OPEN DOCUMENT" and when user clicks on ""OPEN DOCUMENT" it will still direct to the original destination that is our original URL.
I have been told that we don;t want to maintain custom table until and unless it's our last choice.
Thanks,
Rajat -
HTTP Streaming + AES Encryption : Put key URL for segment local to device?
I am creating an HTTP live stream, and I would like to encrypt the segments using
AES 128 encryption. The apple docs describe one encryption method: storing the 16 byte key on disk, and providing the URL to this file in the index file.
Can I make this URL local to the device, of the form file:///PATH/TO/KEY ?
Rationale: I am using in app purchase to allow users to purchase access to my video content. I would like to provide the key when the user purchases the content. Then I would store the key to disk on the device. I can't store the key on the server because it does not support https.
Thanks!I have added the permit any any on the outside and vpn interfaces of both ASAs. I also change the source and destination of the nat exempt rule to any any.
-
Encrypting authentication details - HTTP URL Connection
Hi,
We have a Java application which retreives HTML content from intranet page using HTTPURLConnection, displays the portion of the content. The site to which we are connecting using HTTPURLConnection requires baisc user authentication and we are passing the user name and passowrd using BASE 64 encoding in the request header. Now this intranet site is going to be hosted externally. Just wanted to know the different options on how to send the user name and password in ecnrypted format.Is the recommendation is just to enable HTTPS for that site and pass user name and password using HTTP URL Connection API? Or are there any other options? Appreciate any inputs.
Thanks.http://java.sun.com/javase/6/docs/technotes/guides/net/http-auth.html
-
In Go URL how to hide or mask or encrypt password?
Hi Experts,
I need to see my OBIEE 11g dashboards and Reports from external application. For that I am passing the Variable through GO URL.
The Syntax of the URL is like below :
http://localhost:9704/analytics/saw.dll?Dashboard&NQUser=XXXXX&NQPassword=XXXXXX&PortalPath=XXXXX
But my requirement is No one should see the Username and Password in the URL (i.e., I want to hide the login details). Not quite sure about how to acheive the same. Could you guys please help me out.
Any help/suggestions is much appreciated.
Regards,
Siva PrasadHi Srini,
I tried the post method in the external application(Oracle Apex). There inside IFRAME i has to see OBIEE 11g reports.
Initially it was like this and it is working fine.
<iframe src="http://localhost:9704/analytics/saw.dll?Dashboard&NQUser=XXXXXX&NQPassword=XXXXX&PortalPath=/shared/XXXXX/XXXXX" width="1325" height="600" scrolling="yes"></iframe>
Then I changed to
<IFRAME width="1325" height="600" scrolling="yes">
<form name="myForm" action="http://localhost:9704/analytics/saw.dll?Portal" method="post">
<input type="hidden" name="NQuser" value="XXXXX" >
<input type="hidden" name="NQpassword" value="XXXXX" >
<input type="hidden" name="Path" value="/shared/XXXXX/XXXXX" >
<input type="hidden" name="Action" value="Navigate" >
<input type="submit" value="BI Report" />
</form>
</IFRAME>
But i couldnt able to see anything. Could you please help?
Thanks,
Siva Prasad
Maybe you are looking for
-
MBP Retina inconsistent UI graphics / battery life
I apologize in advance for the 1,000,000th thread on this topic. I (like so many others) have noticed very inconsistent smooth/choppy graphics performance with basic UI functions of OS X 10.8.2. I have tried a number of user suggetsions to alleviat
-
Woke up to my iPhone 4 being completely blank. I've tried restarting and resetting it as well as charging it and plugging into my computer. Can anyone shed some light as to what may be wrong or how to fix it? Thanks
-
Shortcut for Google Search (Cmd-Shift-L) Linked to Newsfire
I recently downloaded the now free RSS reader Newsfire just to try it. I didn't like it that much compared to NetNewsWire, so I trashed it with AppZapper, thus deleting all the files related to Newsfire. Now every time I try to use the shortcut for G
-
Field to indicate 'Blocked' vendor
Hi Gurus, Which field should i use for the 'Blocked' vendor in LFA1 table. Actaully my requirement is to add one more column 'Blocked' in the standard search help of the vendor field(LFA1-LIFNR). Please guide me on this issue. Regards, Amit
-
Replication in Sun Java Directory Server?
Hello, I would like to know whether replication between two Master servers is synchronous or asynchronous by default? Does anyone has any idea? Thanks Sunny