Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

security in JSPs  RSS feed

 
Marilyn de Queiroz
Sheriff
Posts: 9079
12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Normally the user logs in, is authenticated, and accesses various pages via a submit button (doPost() stuff). However, I wonder if there is a way to prevent the user from just typing the url of the jsp and seeing the page? If I call a method (authenticate()), I sometimes get a login page at the top of the page and the original page at the bottom of the page.
 
Jeroen Wenting
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sounds like a logic error in your code.

ditch frames

If you use a controller servlet to receive all requests and place a block on the JSP directory so JSPs can't be called directly (but only via a request forward) nothing can call the JSPs or even know the URLs.

If the user isn't logged in, forward to the login page.
If the user is logged in (place username in the session for example as an indicator) forward the request to the correct JSP (or servlet).
 
Marilyn de Queiroz
Sheriff
Posts: 9079
12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you use a controller servlet to receive all requests and place a block on the JSP directory so JSPs can't be called directly (but only via a request forward) nothing can call the JSPs or even know the URLs.

Yep. We're using a controller servlet and no frames. How do I "place a block on the JSP directory"?
 
Junilu Lacar
Sheriff
Posts: 10879
158
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
See http://www.javaworld.com/javaworld/jw-09-2004/jw-0913-struts.html for some options involving web.xml.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65828
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can either place the JSPs in a folder hierarchy under the WEB-INF folder (which the servlet container will never directly serve resources out of), or place a security constraint on the JSPs as Jeroen indicated in this topic.
 
Marilyn de Queiroz
Sheriff
Posts: 9079
12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you. I didn't see that thread when I searched, and I probably wouldn't have looked at the other page since we're not using struts.
[ October 06, 2004: Message edited by: Marilyn de Queiroz ]
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!