We have a Java based web application where we use HDIV as our security framework. Fundamentally our app does not have any form tags, rather we have many AJAX calls which brings JSON/HTML response with which the cards in the pages are constructed.
We are making use of POST requests while dealing with sensitive data. Those data's are sent in POST request body. In order to be security compliant we do not include POST requests URL in the hdiv:startPages and if we do that we are getting HDIV related exceptions in our error log saying that "HDIV_PARAMETER_NOT_EXISTS;" we googled around and found that it is expecting the state ID and from these URL's (https://github.com/hdiv/hdiv/wiki/Appendix-C:-Ajax and https://github.com/hdiv/spring-mvc-showcase/blob/master/src/main/webapp/WEB-INF/views/partialform.jsp)we figured out how the HDIV state ID can be added for AJAX end points.
But the catch here is if the state ID is generated and appended as a query parameter to the AJAX end URL then HDIV is not throwing any exceptions since it identifies the state ID parameter from the end URL. On the other hand if we try to add the state ID in the request body then it throws the exception stating that the "HDIV_PARAMETER_NOT_EXISTS;".
Precisely,
We are not suppose to include POST request AJAX end point in hdiv:startPages In order to do that we should append the state ID as part of the URL That state ID should be in POST request body and not as a query parameter in the URL. HDIV exception is thrown when state ID is in the request body and works only if it is available as a query parameter in the end point. For POST requests generally it is not recommended to add a parameter as a query string value.
It would be great if some one could guide us in this regard.
Thanks!!! Sai
