• Post Reply Bookmark Topic Watch Topic
  • New Topic

forward ignores filter  RSS feed

 
Richard Hayward
Ranch Hand
Posts: 176
11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm trying to use a Filter class to restrict access to certain pages, such as restricted.jsp

In my web.xml file, I have:



This works, if I try to go directly to restricted.jsp, as in

http://localhost:8080/FilterDemo/restricted.jsp

However, if I return that page as the result of a forward in my contoller class:



then it seems the filter doesn't get involved & end user is returned the content of restricted.jsp, when they shouldn't be.
Am I missing something here, or is that just the way things are? If I have to put some sort of if statement in my controller code, each time I might want to forward to a potentially forbidden page:



it seems so messy, I might as well give up on using a Filter and have code that tests if the user is authenticated on each restricted page.

Could anyone advise?
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You need to specify that filters should be applied to forwards. See #2 in http://www.onjava.com/pub/a/onjava/2004/02/11/jspcookbook.html
 
Richard Hayward
Ranch Hand
Posts: 176
11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:You need to specify that filters should be applied to forwards. See #2 in http://www.onjava.com/pub/a/onjava/2004/02/11/jspcookbook.html


Many thanks Ulf.
Problem solved.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66153
146
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why aren't you restricting access to the controller rather than the JSP? What is the advantage of allowing the controller to run before deciding to block?
 
Richard Hayward
Ranch Hand
Posts: 176
11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Why aren't you restricting access to the controller rather than the JSP? What is the advantage of allowing the controller to run before deciding to block?


Two reasons:

What happens if, instead of going to the restricted page via the controller, as the user is supposed to:
http://localhost:8080/FilterDemo/Controller?action=restricted
they somehow discover the direct url & go to that instead:
http://localhost:8080/FilterDemo/restricted.jsp
Is is possible to put my jsp files somewhere in my server filesystem so that the controller can get them, but an end user cannot?

Secondly, I only want to restrict access to certain pages.
Everybody should be able to get to:
http://localhost:8080/FilterDemo/Controller?action=unrestricted
but only logged-in users should be able to get to:
http://localhost:8080/FilterDemo/Controller?action=restricted
So, I'd have to have filter-mappings in my web.xml

Does syntax like that work?
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is is possible to put my jsp files somewhere in my server filesystem so that the controller can get them, but an end user cannot?

Yes, this is a common ting to want to do; the usual solution is to put the JSPs in a subdirectory of WEB-INF - nothing in there will ever be served directly to the client.


<url-pattern>/Controller?action=restricted</url-pattern>

Does syntax like that work?

I'm almost certain that you can't use parameters in such patterns. But even if you could I would advise against it. If you were to introduce some other URL parameter later, you might end up with /Controller?action=restricted&param=value and /Controller?param=value&action=restricted which are functionally identical, but only one of which is protected.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66153
146
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Richard Hayward wrote:
What happens if, instead of going to the restricted page via the controller, as the user is supposed to:
http://localhost:8080/FilterDemo/Controller?action=restricted
they somehow discover the direct url & go to that instead:
http://localhost:8080/FilterDemo/restricted.jsp
Is is possible to put my jsp files somewhere in my server filesystem so that the controller can get them, but an end user cannot?

Yes, as Ulf pointed out! The JSP pages that are being forwarded to via controller should be placed under the WEB-INF hierarchy. This still allows them to be forwarded to, but prevents them being directly accessed. That way, you never have to worry about your second scenario.

Secondly, I only want to restrict access to certain pages.

Does every page not have a controller? If so, limiting access to the controller prevents access to the page. I'm not really getting to a scenario where the controller gets the page ready for view, but at the last minute says "Oh, never mind".

Or perhaps your page controllers are doing too much? All they should be doing is getting a page ready for view. If the page isn't appropriate to view, the controller isn;t appropriate to run.

Are you perhaps conflating task controllers and pages controllers?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!