What is it?

QueryCrypt allows you to encryt the query parameters in the URLs you create within your Java, JSP, Servlet based application. If you are developing a Java - web based application and security is an important factor in your application delivery then one of the ways you can further secure your application is by encrypting your query parameters of the URLs that you create to move within your application. QueryCrypt's Java API (along with it's J2EE Servlet architecture) allows you to seemlessly create a secure environment for all the query parameters that you pass on via click-thru's within your application. While applications are responsible for protecting their own data using schemes like HTTPS-SSL, JAAS and other authentication and authorization services, QueryCrypt provides the ability to translate the URLs that you create into something more secure (encrypted). The demonstraion below shows you visually what QueryCrypt provides you.

What it is not?

It is not a replacement for your HTTPS/SSL security of your application nor does it provide you with JAAS or any similar method or class level security.

Features
	Easily configurable with Servlet Init parameters on server startup.
	Creates a unique set of private key(s) for each user-session and encrypt all user-session query data with that unique set of private key(s). One private key set per user-session.
	We use the user-session specific key set and the DESede (triple DES variant with three DES keys) to encrypt all query data. See link on DESede for further information on the level of security.
	What the user sees in their URL is an unique MD5 message digest of the encrypted result. This further prevents hackers from guessing the user-session key set.
	Ability to timeout query parameters to further enhance the security.
	Customize the query name so that it masks the use of this product in your server architecture. For example, you can call your encrypted query parameter, _tm=encrypted_value
	Built in mechanism to prune stale or expired user-session data when session expires to maintain a small memory footprint.

How do I use it?

Step 1: Add JAR

Add QueryCrypt.jar to the web aplication's /WEB-INF/lib directory.

Step 2: Add properties to /WEB-INF/web.xml

Define the listener tag: <listener> <listener-class>com.guhesan.querycrypt.QueryCryptSessionListener</listener-class> </listener> Define the servlet tag and define your queryName and if you want to enable debug: <servlet> <servlet-name>QueryCryptServlet</servlet-name> <display-name>Query Crypt Servlet</display-name> <servlet-class>com.guhesan.querycrypt.QueryCryptInitServlet</servlet-class> <init-param> <param-name>queryName</param-name> <param-value>_tq</param-value> </init-param> <init-param> <param-name>debug</param-name> <param-value>true</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>

Step 3: QueryCrypt is ready to be used.

See example below for how to use the encrypt() and decrypt() methods within your code.

What do I get?

QueryCrypt.jar	This file contains the necessary classes to make the QueryCrypt engine framework. This class needs to be in your /WEB-INF/lib directory. It's Java JDK version - 1.3.1 or upwards compatable.
QueryCrypt.war	A sample WAR file showing you how to encrypt() and decrypt() query strings.
QueryCrypt_jdocs.jar	JavaDocs for Query Crypt.

Encrypting the query string:

Suppose you had a query string such as the following: BankID=1234&AccountID=J5678&TrasactionID=25 By definition, a query string consists of name=value pairs seperated by "ampersand". The system will not accept input data of a miss-matched name=value pair. To encrypt the string in JSP: <%@ page import="com.guhesan.querycrypt.QueryCrypt" %> <% String plainString = "BankID=1234&AccountID=J5678&TrasactionID=25"; String encryptedS = QueryCrypt.getInstance().encrypt(request, plainString); %> <A HREF="<%=request.getContextPath()%>/URL_U_WANT_TO_GO.jsp?<%=encryptedS%>">Click here for the secure transaction</A>

Decrypting the query string:

Suppose you had a encrypted string such as the following: someURL.jsp?_tq=c95a29f62075cf63028be5ec6ba48be0 To decrypt in JSP: <%@ page import="com.guhesan.querycrypt.QueryCrypt" %> <%@ page import="com.guhesan.querycrypt.beans.RequestParameterObject" %> <% RequestParameterObject rpo = QueryCrypt.getInstance().decrypt(request); %> You can now use the methods available in the RequestParameterObject to get the name value pairs. The following methods are available for RequestParameterObject: java.util.Map RequestParameterObject.getParameterMap(); java.lang.String RequestParameterObject.getParameter(java.lang.String name); java.util.Enumeration RequestParameterObject.getParameterNames(); java.lang.String[] RequestParameterObject.getParameterValues(java.lang.String name); String RequestParameterObject.toString();

Java Docs and API Documentation:

You can view the JavaDocs for the classes here.

It's now available for download under GPL License.

As of August 02, 2006 - Aveda Technology has decided to allow the use of this code under GPL license. Aveda Technology distributes this code as is and does not hold any warranties and cannot be held liable for any damages that incur by use of this product.

The following versions are available: (If you have updates, send them back and we'll gladly share it with the world) :-) Last Updated: August 02, 2006 QueryCrypt.jar QueryCrypt.war QueryCrypt.zip (includes ant build scripts) QueryCrypt_jdocs.jar QueryCryptWithSrc.war

Need Support?

You can email us at support@avedatech.com for help on this product and other products that we sell. If you wish to have custom work done or the downloaded product customized to suit your needs, please contact sales@avedatech.com for pricing and options.