Win a copy of Node.js Design Patterns: Design and implement production-grade Node.js applications using proven patterns and techniques this week in the Server-Side JavaScript and NodeJS forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Restrict direct access to my actions?

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
howdy

Im trying to include some sort security to my application.
Therefor Ive already restricted the access to the jsp files.
But It is still possible to type in one of the actions : like openPage2.do

My Structure is:
InitPageX.java
pageX.jsp
PerformPagex.java

and I dont have a way to force the user to ALWAYS go over the initPage Class.

Can someone help me out?

regards, Tom
 
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Please check your private messages. You can do so by clicking on My Profile
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One possible solution would be to have your initPage action place some object in the HTTPSession. Then have all the other actions check for the existence of this object. If it doesn't exist, redirect back to the initPage Action.

If you don't want to put this code in every action, you could implement a Servlet Filter that could perform this task.
[ September 12, 2007: Message edited by: Merrill Higginson ]
 
tom zygadlewicz
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
this seems a good idea.
the problem is: Im using tiles, and each page is linked im my struts-config.xml with a direct action. here take a look:
struts-config:


tile-defs:
<definition name="vo1EntryPage" extends="default">
<put name="pagecontent" value="/vo1Entry.jsp"/>
</definition>

so if the user adds vo2.do to the adressbar. he jumps right into the page - without any actionclass being used... i dont like that

is there a way to prevent this?

regards, tom
 
Ranch Hand
Posts: 544
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
If you are planning to go for user authentication then you can use Basic authentication. In this case you can protect the webapp resources using security constraints defined in web.xml.
The another one would as suggested by Merrill. I suppose this is the Synchronizer Token pattern way. You expect some token to be available in the request and check for existenece of that token. If token is validated then go ahead else redirect the user to error page. We did it once and had the code in Filter as mentioned by Merrill.
Regards,
Amit
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This situation reminds me of a quote which goes something like..

The trouble with building an idiot-proof system is that the world keeps coming up with bigger and better idiots.


I don't think it's possible to make a system completely idiot-proof. This is just my two cents, but if there's no security risk, and the user just gets an oddly formatted page for his efforts at hacking the URLS, then I say there's no harm done.
 
Ranch Hand
Posts: 948
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't quite get what you mean when you say "he jumps right into the page - without any actionclass being used". Your OnlineAction is still going to get called (unless I am missing something).

- Brent
 
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Why don't you just extend the RequestProcessor and set it up in the struts-config.xml as the controller and you can check in this one for authenticated users?

Add this after the action mappings and you should be fine.



You can also maintain a map of allowed actions that can be accessed without being logged in (login or help for ex). This way you will also have the tiles working.

Another best practice to secure the jsp files is to hide them behind the WEB-INF directory and access them only through actions.

A good article is here
 
reply
    Bookmark Topic Watch Topic
  • New Topic