locked
Lightswitch HTML Client: encrypt (deep linking) URL RRS feed

  • Question

  • Hello.

    I use deep linking to give a user direct access to a record with help of an URL. That works like e.g.:

    http://localhost:1234/HTMLClient/?entity=DBData/tblTest(1)

    In above URL the record with the ID=1 is called. This works fine.

    Now I want to encrypt the URL so the user can not conclude to navigate to another record “…tblTest(2)” and so on.

    (By the way: I used Access2013 (WebApp) to generate the database. The database is stored somewhere in Azure (SQL-Server). I tried with the Access-ReplicationID but while importing to WEbApp (Azure/SQL Server) the column is changed to string (short text) and there is a new column named ID with the Type “Integer”. Then I tried to change the table (or add a new one) via MS SQL Server Management Studio for adding a uniqueidentifier-column but with the credentials of the Access Web App I have no permission to do so. The only way to change/add tables is to do this with help of Access.)

    So are there any other ways to encrypt the URL to obfuscate the recordID?


    • Edited by Ingo67LS Monday, July 7, 2014 9:20 PM err
    Monday, July 7, 2014 9:18 PM

Answers

  • You don't mention where/how you create the URLs so I'm not sure whether they are generated in C# or Javascript for example. 

    I would go for a simple obfuscation like the following (pseudo code):

    var obfuscatedParameters = obfuscateString("entity=DBData&id=1");
    var link = myapp.rootUri + "?p=" + obfuscatedParameters;

    The obfuscateString() function could then be implemented using a suitable method as discussed in the stack overflow thread (javascript to javascript or C# to javascript, etc): http://stackoverflow.com/questions/746347/simple-string-encryption-in-net-and-javascript

    On the receiving end you can read the obfuscated "p" URL parameter and unobfuscate (is there such a word?) it by implementing a simple unobfuscateString() function (using the reverse algorithm) and then parsing the actual parameter values from that string.

    We have successfully used a similar approach for a SSRS based report view page implemented in an aspx page that allows us to pass any number of parameters as one big obfuscated string.

    Hope this give you some ideas.


    Regards, Xander. My Blog

    • Edited by novascape Tuesday, July 8, 2014 1:43 AM
    • Proposed as answer by Hessc Tuesday, July 8, 2014 2:22 AM
    • Marked as answer by Ingo67LS Tuesday, July 8, 2014 9:28 AM
    Tuesday, July 8, 2014 1:41 AM

All replies

  • You don't mention where/how you create the URLs so I'm not sure whether they are generated in C# or Javascript for example. 

    I would go for a simple obfuscation like the following (pseudo code):

    var obfuscatedParameters = obfuscateString("entity=DBData&id=1");
    var link = myapp.rootUri + "?p=" + obfuscatedParameters;

    The obfuscateString() function could then be implemented using a suitable method as discussed in the stack overflow thread (javascript to javascript or C# to javascript, etc): http://stackoverflow.com/questions/746347/simple-string-encryption-in-net-and-javascript

    On the receiving end you can read the obfuscated "p" URL parameter and unobfuscate (is there such a word?) it by implementing a simple unobfuscateString() function (using the reverse algorithm) and then parsing the actual parameter values from that string.

    We have successfully used a similar approach for a SSRS based report view page implemented in an aspx page that allows us to pass any number of parameters as one big obfuscated string.

    Hope this give you some ideas.


    Regards, Xander. My Blog

    • Edited by novascape Tuesday, July 8, 2014 1:43 AM
    • Proposed as answer by Hessc Tuesday, July 8, 2014 2:22 AM
    • Marked as answer by Ingo67LS Tuesday, July 8, 2014 9:28 AM
    Tuesday, July 8, 2014 1:41 AM
  • very cool
    Tuesday, July 8, 2014 2:22 AM
  • Hello Xander.

    First, I have to apologize my bad English and LS skills. Maybe I did not use the correct wording for this issue (it can be that “deep linking” is wrong in this context).

    I do not crate the URL. It matches the following pattern:

    e.g.:

    "http://localhost:1234/HTMLClient/?entity=" & DataService & "/" & table & "(" & recordID & ")"

    where:

    DataService = DBData

    Table = tblTest

    RecordID = 1

    The only thing I have to do is to set the standard screen (view-screen) of the table. When someone then uses the above URL (or similar) the user gets to the corresponding recordset.

    So if I obfuscate the URL where in LS do I have to decrypt, so that the User gets to the destination?

    Tuesday, July 8, 2014 7:28 AM
  • Hi again.

    I found out:

    In the _created method of the Home-Screen.

    Thank you for your help!

    Tuesday, July 8, 2014 9:28 AM