Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Hack proofing JSP

 
Debashish Chakrabarty
Ranch Hand
Posts: 231
Firefox Browser Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ranchers,
I dunno if this is too elemntary questions , still..I have a JSP (say firstPage.jsp that will have a button (or maybe hyperlink) to call another JSP (say secondPage.jsp and pass to it some parameter (either through query-string or hidden form field).
What my customer wants is that somebody who types in the URL of secondPage.jsp directly (correct with query-string) should not be able to get past. The one and only way to secondPage.jsp should be through firstPage.jsp.
How can I ensure that? Will checking the HTTP Referrer in secondPage.jsp suffice?
Thanks for your time.
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another option could be to put something into the HttpSession while processing firstPage.jsp, which indicates to secondPage.jsp that the user came via firstPage.jsp. (this "stuff" needs to be removed from the HttpSession by secondPage.jsp as a sort of "replay attack defense")
This way you don't have to rely on the HTTP client (= web browser) to send correct headers.
 
SJ Adnams
Ranch Hand
Posts: 925
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
no.
you should really have the servlet call an entitlements object before processing the request.
for a typical architecture the servlet might run the user entitlement (is the user allowed to access this page? query this data?) then maybe user preferences (which language? time format? default search parameters etc.) then actually perform the 'action' of the submit request.
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Simon is absolutely correct about the use of a controller (the servlet). However, if you're dealing with a small, simple application which doesn't need maintenance then it's perfectly acceptable to "go low" and drop the controller.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic