This week's book giveaway is in the Performance forum. We're giving away four copies of The Java Performance Companion and have Charlie Hunt, Monica Beckwith, Poonam Parhar, & Bengt Rutisson on-line! See this thread for details.
page1.jsp->page2.jsp->page3.jsp the person keys in the parameters for page1.jsp
page2.jsp authenticates whether the person is allowed to get data from database, if not it will throw exception message displayed in error page.
page3.jsp will then display the data in database.
Note: no servlet is used, authentication server code is on page2.jsp, there is some server code (if else ), but with functions imported from class.
Currently, it is using a session previous url to prevent from bypassing the flow of pages This means when a user is at page1.jsp (Session data: previousurl='page1.jsp')
and is trying to access page3.jsp, there will be an error message.
However, I am not very sure session data can be easily manipulated, which might cause some security issues.
One suggestion is servlet with filters, but I am not able to find some examples on the web for preventing bypassing of pages.