If user try to change parameter through url

There's a case that the user change the parameters send to servlet through URL,

is there's any way to restrict user not to change paramters,

if not, how can I manage all p开发者_JS百科arameters send to servlets? in a case they are many, is it reasonable to check each one in turn??

You can't restrict the user from sending you anything.

It is the server-side where you can add restrictions.

Usually you get only the parameters you need, so additional parameters should not bother you.

You definitely should check parameters send to your servlet. Thats basically what you do anyways since thats the way clients (such as webpages) communicate with your application.

The simplest way is to hash the parameters with some hidden secret, and pass that back with the URL, then compare the hash to the URL parameters to make sure they match.

Another way is to not use individual parameters, but encrypt them in to a encoded bunch of characters and the whole thing is decrypted on return.

The hash is easier to implement if you don't care that the user sees the actual parameters.

You cannot avoid someone from typing in the URL, but what you do in your servlet is filter the input recieved from the URL, with some java code.

Example:

Just found an interesting link where a Servlet Filter is used to filter out XSS attacks(As you see, there is no such code that avoids someone to type certain characters in the URL, or similar): Link

Simply put, you cannot stop the users from changing the parameters.

You must do input validation on all parameter values. If you have a variable that contains sensitive information, you do not put that on the URL. A really bad example: http://mydomain.com/myservlet?isAdmin=1. Information such as that needs to go into a session since that is stored on the server and out of the user's reach.