Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how to disable adress bar in explorer

 
Syed Saifuddin
Ranch Hand
Posts: 130
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello

I am facing a problem that if a user change the value of an argument in the address bar he can see the jsp page which is restricted to him.

Please tell me that is it possible to make address bar readonly or disable or invisible to the user so the application become save.

Thankyou
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can not do it

Looks like you need to rethink the server side portion of the code.

Eric
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is what I do. I have a Servlet for every single JSP. Sometimes, all the servlet does is forward to the JSP. So my url never shows a .jsp in the address bar. It will only be something like:

http://localhost:8080/app/page

Where page maps to a Servlet and the Servlet forwards to whatever JSP I need. Now if you pass parameters in the URL, which you still can, there is nothing you can do to keep people from changing this parameters. What you will have to do is in your Servlet that accepts the request, make sure the parameters that are entered are valid for the request.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65118
89
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are relying on the client-side for security, you are doing it wrong. Just hiding the address bar isn't going to prevent anyone from trying to spoof your system.

Take for example an app I am working on. Depending upon roles and ownership rules, different users are allowed to access different sets of records. When a search is performed, only the records that the user is allowed to see are displayed. Clicking on a search result brings up the record's details.

If I relied on the fact that the user can't see a 'forbidden' record to click on it, I'd be doing it completely wrong.

When the request to view a record's details comes in, I check on the server side whether the user has permission to access the record or not. That way, anyone trying to spoof the system by typing in URLs and changing paramters is still unable to view records that they are not supposed to.

I also encrypt the parameter values so that true keys are not exposed on the client side. This makes it harder to spoof URLs as well.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic