• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Servlet filter to restrict GET request

 
Prasanth S Pillai
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello ,

I am facing the below issue in my j2ee application.

The application code is written to support POST requests.
But if I try to access my application through the URL with the values ( since I am the coder, I know the hidden paramters)
then I can access the website bypassing the login page.

I have a servlet filter - BuT I am not sure is this a right approach to block the request at this level. Can anyone guide me?

PP
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A servlet filer is the correct approach to blocking unauthenticated requests -- but I have no idea what this has to do with your topic title.
 
Prasanth S Pillai
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the response. I have changed the subject.

Can you please tell me how do I do the filtering if the request is of GET type?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Firstly, are you checking for authentication or GET? Your requirements aren't clear.
 
Prasanth S Pillai
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, let me give you the details.

As any application I have a login screen & authentication etc. It all works fine.

But if I type in the URL with the hidden parameters, then the application behaves the same way as if a valid user logged in.

So basically it is a query string in the URL. ( which is GET)
For this issue, I guess a servlet filtering can be done where I can restrict the GET.
I hope the requirement is clear.please let me know if it is not.
 
Pooja lachake
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

There are no guidelines provided by the Servletfilter framework regarding whether to use filters in login page.
But as per the Intercepting design patterns it is ok to use filters for authentication.
Instead of using the hidden parameters the Login details of the user can be directly used using ServletRequest Object.
I belive that your question is answered.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How are you determining whether a user is logged in or not. There should be no way that they can type anything into a URL that will trick the system into thinking so.

You don't need to block GETs -- that's a symptom, not the issue. You need to make sure you are using appropriate algorithms.
 
Paul Clapham
Sheriff
Posts: 21551
33
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Presumably the actual issue is that the application was written to support both POST and GET requests. It's simple enough to have GET requests to a servlet rejected; simply don't implement the doGet() method.
 
Prasanth S Pillai
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@Paul Clapham :Yeah I agree with your comment. Surprisinlgy I do not have any doGet() methods implemented.
I am not sure why the application is accepting the URL query string pattern.!!
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Whether there is a query string or not is moot -- a GET is a GET and a POST is a POST. How are you initiating the reqeust?
 
Prasanth S Pillai
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am manually entering the URL in the browser with hidden parameters. For instance


http://www.XYZ.com/showresult/logon.do?naviagate=login&requestPath=&hiddenParam1=&username=Valid1&password=valid2

I hope this is what you had asked for.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanth S Pillai wrote:I am manually entering the URL in the browser with hidden parameters.

"hidden" parameters? There's no such thing on a URL. What do you mean by that?

In any case, entering a URL in a browser will result in a GET. If something is accepting the GET, it's not the servlet that has no doGet() method.
 
Jessid Leon Velez Gutierrez
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Prasanth S Pillai. I am not a Java EE expert, but I think your approach for validating if the user has privileges for accessing some resources in your app should not rely on some "hidden" parameters. Perhaps you should use sessions or the security implemented by the container.
 
Yogesh Nerkar
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Prasant,

You can use servlet security to resolve your issue. You can probably use j_security_check at the login form action.
 
Prasanth S Pillai
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@Yogesh. That's my question. How do I filter GET request in servelt filter? In my application, the code will support only POST. But even if I pass the request (manually), the application is accepting the request and the control navigates to respective page as if a valid user has logged in.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You still have not answered the questions that were asked or adequately addressed the situation.
 
Prasanth S Pillai
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I thought my question was very simple. As I mentioned earlier, when I pass the required values for any action, say to get some information from database, as a URL, the application works fine, even if the user does not use the login screen. In short, if I pass certain values which includes the user credentials as well in the URL directly (manually),the application works fine - which I do not want.
It just bypasses the login authentication by all means..

Sorry, I can't explain in a better way- blame it on my English.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Without knowing how you are doing your credential checking and authorization -- which is almost certainly not doing a good job of it -- we cannot advise how to refactor it to be more robust.

Band-aiding the issue by doing things like filtering GETs will not fix the underlying problem. Your authentication scheme obviously is flawed and needs to be fixed.
 
leo donahue
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanth,

I'm not sure why no one is simply pointing you in the right direction.

In short, do not attempt to devise your own solution to "logging in". Your container should provide you with a mechanism for this.

Some people have given you a keyword "authentication", but apparently you missed that hint. Download the Java Servlet Spec 2.5 and read the chapter on Security.

What you want is "Form Based Authentication", and optionally enable HTTPS, but that is another topic.
 
Prasanth S Pillai
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for all suggestions. I shall fix it.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic