I am building an application using Spring Framework 3.1
I am having my controllers mapped with url containing path variables that stands for some id.
But I don't want the user to tamper with the url and change the path variable value manually.
I want to restrict them from doing so.
I have already tried using the ShallowEtagHeaderFilter. But its not working the way it suppose to.
I don't know whether I missed any configuration for the filter or its not working at all.
here is my web.xml where I have configured the dispatcher servlet and filter.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
Please help me with this.
Thanks in advance.
I don't understand how ShallowEtagHeaderFilter fits into this picture, I think you misunderstood its functionality. It's supposed to reduce network traffic by taking pages from the browser cache. That's a totally different scenario from yours.
Basically: if you don't want users to tamper with URLs, you will need to have a way to verify that the URL was created by your application, usually a checksum parameter of some sort with an algorithm that's not easy to guess.
aB is calculated based on
/site/12/user/12345. Now if the user changes the URL to
/site/13/user/12345/aB the checksum is wrong and you can send a 404 or a 400 or whatever error you want to send.
I'd probably implement the checksum check as a Filter and write a utility method that creates URLs with checksum based on plain URLs (possibly you'll need a JSP tag as well)