securitygrailsencryptiongroovyurlmappings.groovy

Grails: encrypt query params, use hashing to encrypt/decrypt the params in url and hidden fields

I'm working on grails app. When do get request (to show one entity for example) the id of that entity will be shown in the url in browser For security issues, I'm trying to encrypt the id in the url. any idea how I can hashing the id/or any params in grails.

http //url/controller/action/3
http //url/controller/action/08eab7690d2a6ee69

I'm wondering if something already built that would allow to encrypt/decrypt the query params in grails.

Also is it possible if we can apply the encryption/decryption mechanism in the URLMapping file, any idea ?

Thanks in advance

Solution

  • Basically no you need to make your own encryption/decryption methods. Can I ask why you are trying to encrypt it. Is it because You have this scenario ?

    http://url/controller/id1
http://url/controller/id2

    And therefore the reason for your encryption would be to stop others from browsing other requests if so there are other alternatives to encryption. As an example I am working on something similar but instead of all the overhead of encryption I have made it so if id is provided it must also provide the username for that id

    http://url/controller/id1?username=username
http://url/controller/id1?username=username2

    When i get ID i also check if there is a username params and if username matches id username - this then stops others from being to troll through the links

    If you still wish to encrypt let me know and I can provide some more guidance

    def MyController {
  def index() {
     if (params.id) {
        params.id=Md5Helper.translate(params.id)
     }
  }
}

    in src/groovy/main/{package}/Md5Helper.groovy

    class Md5Helper.groovy {

   //return deconverted string into Long value
   public static Long translate(String input) {
     //do your md5 decryption here
      if (result.isNumber()) {
         return result as Long
      }
      return 0L
   }

   //override so when default Long is sent just return it
   public static Long translate(Long input) {
      return input
   }

}

    CompileStatic the helper class if above grails 2.4 and job done

    Moving away from md5 encryption and using proper internal encryption / decryption with a key that you can change making it un-encryptable by end user refer to https://github.com/vahidhedayati/md5id/