Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

session vulnerable pages

 
Jason Kwok
Ranch Hand
Posts: 126
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I have a webapp where a user can login and edit their profile, password, and view sales/financial history. I use the MVC pattern so the user views this information on jsp pages which are fed info from a servlet controller which interacts with a model.
My question is, after I've logged in and viewed those jsp pages with the sensitive info on them and log out, I can still view that information is I type in the URL for any of those pages. How can I prevent this?
When log out is performed I use session.invalidate(). I have the customer's info saved in the session using a userbean and salesbean. Would these beans not be removed when I use session.invalidate()?

I was thinking for those sensitive pages which are in jsp... should I check to see if there is an existing session, and if not, redirect off those pages? Would that be the best way?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65225
95
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
should I check to see if there is an existing session, and if not, redirect off those pages?


Absolutely. If you're not checking, there's nothing to prevent access.

This is a great use for a servlet filter, by the way.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You may also want to prohibit direct access to your JSPs - either by filtering for *.jsp or by putting the JSPs under the WEB-INF directory.
 
Jason Kwok
Ranch Hand
Posts: 126
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ben Souther:
You may also want to prohibit direct access to your JSPs - either by filtering for *.jsp or by putting the JSPs under the WEB-INF directory.


Ok I'm comfortable checking for a session and redirecting. However I'm not familiar with the 'filter' method your talking about. Is there somewhere I can check that out?

Secondly, how would I filter for *.jsp? Would that be through some sort of mapping in my web.xml file? Or if I did put them under my WEB-INF directory, how would I reference them??

ex: http://localhost:8080/myStore/WEB-INF/myFile.jsp??
 
Jason Kwok
Ranch Hand
Posts: 126
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:


Absolutely. If you're not checking, there's nothing to prevent access.

This is a great use for a servlet filter, by the way.


What is a servlet filter? And how would I use it? I've never head of such a thing... which shows just how new I am to java!!

Thanks again Ben and Bear,
J
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First Filters:
http://www.google.com/search?hl=en&q=Servlet+Filter+Tutorial&btnG=Google+Search
The nice thing about them is that you can map them to URL patterns from web.xml without changing code or re-compiling.

Hiding JSPs under WEB-INF:
If you're using MVC you can forward to your JSPs just like you do now but in the WEB-INF directory. Browsers can't access WEB-INF directly but your servlets can.

[ April 13, 2005: Message edited by: Ben Souther ]
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jason Kwok:
What is a servlet filter? And how would I use it? I've never head of such a thing... which shows just how new I am to java!!


A filter is nothing but a complement over servlet. You can get a free book from theserverside.com. Not very good book for beginners but as you are not a beginner, you will find the book worthy.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic