• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

forward ignores filter

 
Ranch Hand
Posts: 209
13
VI Editor
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm trying to use a Filter class to restrict access to certain pages, such as restricted.jsp

In my web.xml file, I have:



This works, if I try to go directly to restricted.jsp, as in

http://localhost:8080/FilterDemo/restricted.jsp

However, if I return that page as the result of a forward in my contoller class:



then it seems the filter doesn't get involved & end user is returned the content of restricted.jsp, when they shouldn't be.
Am I missing something here, or is that just the way things are? If I have to put some sort of if statement in my controller code, each time I might want to forward to a potentially forbidden page:



it seems so messy, I might as well give up on using a Filter and have code that tests if the user is authenticated on each restricted page.

Could anyone advise?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You need to specify that filters should be applied to forwards. See #2 in http://www.onjava.com/pub/a/onjava/2004/02/11/jspcookbook.html
 
Richard Hayward
Ranch Hand
Posts: 209
13
VI Editor
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:You need to specify that filters should be applied to forwards. See #2 in http://www.onjava.com/pub/a/onjava/2004/02/11/jspcookbook.html



Many thanks Ulf.
Problem solved.
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Why aren't you restricting access to the controller rather than the JSP? What is the advantage of allowing the controller to run before deciding to block?
 
Richard Hayward
Ranch Hand
Posts: 209
13
VI Editor
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:Why aren't you restricting access to the controller rather than the JSP? What is the advantage of allowing the controller to run before deciding to block?



Two reasons:

What happens if, instead of going to the restricted page via the controller, as the user is supposed to:
http://localhost:8080/FilterDemo/Controller?action=restricted
they somehow discover the direct url & go to that instead:
http://localhost:8080/FilterDemo/restricted.jsp
Is is possible to put my jsp files somewhere in my server filesystem so that the controller can get them, but an end user cannot?

Secondly, I only want to restrict access to certain pages.
Everybody should be able to get to:
http://localhost:8080/FilterDemo/Controller?action=unrestricted
but only logged-in users should be able to get to:
http://localhost:8080/FilterDemo/Controller?action=restricted
So, I'd have to have filter-mappings in my web.xml

Does syntax like that work?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Is is possible to put my jsp files somewhere in my server filesystem so that the controller can get them, but an end user cannot?


Yes, this is a common ting to want to do; the usual solution is to put the JSPs in a subdirectory of WEB-INF - nothing in there will ever be served directly to the client.


<url-pattern>/Controller?action=restricted</url-pattern>

Does syntax like that work?


I'm almost certain that you can't use parameters in such patterns. But even if you could I would advise against it. If you were to introduce some other URL parameter later, you might end up with /Controller?action=restricted&param=value and /Controller?param=value&action=restricted which are functionally identical, but only one of which is protected.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Richard Hayward wrote:
What happens if, instead of going to the restricted page via the controller, as the user is supposed to:
http://localhost:8080/FilterDemo/Controller?action=restricted
they somehow discover the direct url & go to that instead:
http://localhost:8080/FilterDemo/restricted.jsp
Is is possible to put my jsp files somewhere in my server filesystem so that the controller can get them, but an end user cannot?


Yes, as Ulf pointed out! The JSP pages that are being forwarded to via controller should be placed under the WEB-INF hierarchy. This still allows them to be forwarded to, but prevents them being directly accessed. That way, you never have to worry about your second scenario.

Secondly, I only want to restrict access to certain pages.


Does every page not have a controller? If so, limiting access to the controller prevents access to the page. I'm not really getting to a scenario where the controller gets the page ready for view, but at the last minute says "Oh, never mind".

Or perhaps your page controllers are doing too much? All they should be doing is getting a page ready for view. If the page isn't appropriate to view, the controller isn;t appropriate to run.

Are you perhaps conflating task controllers and pages controllers?
reply
    Bookmark Topic Watch Topic
  • New Topic