How to encrypt a parameter in URL- IBM WCS?

Question

I need to add an encrypted parameter, lets say 'isAdd' in a URL

 www.example.com/aTestPage?isAdd=123

but I am failed to do so, though the parameter is not mentioned in following section of wc-server.xml

  <NonEncryptedParameters display="false">
    <Parameter name="storeId"/>
    <Parameter name="langId"/>
    <Parameter name="catalogId"/>
    <Parameter name="categoryId"/>
    <Parameter name="productId"/>
  </NonEncryptedParameters>

but it is still apparent in URL. What should I do to make 'isAdd' encrypted?

I tried to add it in following section of wc-server.xml but it didn't work.

 <ProtectedParameters>
   <Parameter display="false" name="isAdd"/>
 </ProtectedParameters>

UPDATE: URL generation

   <wcf:url var="aTestPage" value="aTestPage" type="Ajax">
      <wcf:param name="isAdd" value="${isAdd}" />                                       
   </wcf:url>

Note that this seems to be a specific question for the websphere commerce / commerceserver dev environment / runtime. I'll - eh - frown upon any generic answers that show how to "encrypt something" using a generic encryption algorithm. — Maarten Bodewes, Apr 18 '17 at 12:08
Never worked with IBM websphere, but why encrypt params when we have SSL? Also you would send the param plain and add a `HMAC` as the signature — , Apr 18 '17 at 13:39
@user7859067 HTTPS communications may be encrypted, but typically the purpose of encrypting parameters are to prevent authenticated users of an application to know parameter values or to change the values of parameters in URLs. An id of an object may need to remain hidden from users. For example, an order Id may need to be hidden and only the OMS order Id get shown. Sometimes, some systems use this encryption to prevent access to objects not owned by a user - although it's safer to use authorisation checks for this. — Tasos Zervos, Apr 19 '17 at 11:06
@TasosZervos HTTPS are encrypted, and must be actually. Plus as I mentioned even if the param values transferred public and non encrypted, a request HMAC could avoid change of any param as server will finds invalid signature. Also if you want to hide the values of some data what send it to client? just keep it in server and send a random value which points out to it, something like session objects. — , Apr 19 '17 at 13:44
@user7859067 Typical ecommerce sites developed on WCS are not going to customise the platform and implement anti-tampering measures like a request HMACs to deal with the issue of URL parameters. Sessions can help, but can also have a cost, particularly on clustered setups. I agree with your options as a general approach, but the norm in big WCS projects is very limited flexibility and preference to re-use the mechanisms of the platform. Hence, the question on how to use the standard WCS "krypto" mechanism. — Tasos Zervos, Apr 20 '17 at 12:47

score 0 · Answer 1 · answered Apr 19 '17 at 10:59

0

Is your URL using HTTPS/SSL? "if the command is to use SSL, then the parameters are encrypted" and all parameters not in the NonEncryptedParameters list will get encrypted [as a single value] and appear as the "krypto" parameter.

answered Apr 19 '17 at 10:59

Tasos Zervos

526
1
6
8

Yes URL is using HTTPS, but the parameter is not encrypted. – Just_another_developer Apr 19 '17 at 11:21
So, where is this URL located/generated - a JSP? And what are the steps where you expected the encryption to happen but doesn't. – Tasos Zervos Apr 20 '17 at 12:49
URL is generated in a jsp on POST action. On a button click data is posted and user is redirected to next page(URL that I mentioned), URL has this parameter that I want to get encrypted. I have updated my post, now it has URL generation part as well. – Just_another_developer Apr 21 '17 at 05:02
Is your tag inside a JSP or a fragment (JSPF)? – Tasos Zervos Apr 24 '17 at 07:43
Also, what is the version of WCS? – Tasos Zervos Apr 24 '17 at 07:57

How to encrypt a parameter in URL- IBM WCS?

1 Answers1