We have built certain functionality using ABAP webdynpro. This is called from the Portal, for this an iview is used.
For licensing reasons we dont want to create ten thousands of users in the backend, but we want to execute the webdynpro under a generic account in the backend.

We got this working using user mapping on a specific portal role.

One of the parameters we want to hand over to the webdynpro is the userid on the portal. We do this via 'Application Parameters' in the iView.

This all works fine, but in a http trace we see the three parameters (backend-userid, password and portal-userid) in plain text, traffic is sent via https but the url is build in internet browser. A smart person could easily create an url using another portal-userid.
The first two (backend-userid and password) are not a problem because backend authorizations are restricted, but we dont want the portal-userid to be that clear.

Does anyone have an idea how to solve this?
I see that there is a parameter 'Customer Exits for ParameterProvider'. If I interpret things correctly this way operations are possible on parameters, like scrambling the portal-userid (which can be descrambled in webdynpro). Anyone experience with this?