This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of Real-World Software Development: A Project-Driven Guide to Fundamentals in Java and have Dr. Raoul-Gabriel Urma & Richard Warburton on-line!
See this thread for details.
Win a copy of Real-World Software Development: A Project-Driven Guide to Fundamentals in Java this week in the Agile and Other Processes forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Liutauras Vilda
  • Knute Snortum
  • Bear Bibeault
Sheriffs:
  • Devaka Cooray
  • Jeanne Boyarsky
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • salvin francis
Bartenders:
  • Tim Holloway
  • Piet Souris
  • Frits Walraven

How to restrict access to JSP pages directly through URL

 
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't want the user to access the JSP/HTML files directly by giving url's.  Is it a good idea to put them in WEB-INF directory. If so please let me know how to access or call them in my application.
 
Saloon Keeper
Posts: 6194
157
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, that is generally a good idea. You would use a request dispatcher from within a servlet.
 
Rancher
Posts: 2265
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You need to create the mapping inside web.xml

 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The following is my index.html code.



Along with the code shouldi do mapping?



Is it correct?
 
Swastik Dey
Rancher
Posts: 2265
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


should be

 
Tim Moores
Saloon Keeper
Posts: 6194
157
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The link would become "main" instead of "Register.jsp", assuming that index.html is in the top-level directory of the web app.

Edit: Swastik is faster than I am :-)
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Swastik Dey wrote:

should be



Same like the above i should do with servlet mapping for whatever jsp pages i am adding?
 
Swastik Dey
Rancher
Posts: 2265
20
Android Java ME Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes
 
Rancher
Posts: 4492
47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you've tucked away you JSPs behind WEB-INF why are you then exposing them again?
JSPs shouldn't generally be an accessible end point.  You ought to be going through servlets.
Anything else implies that your JSP pages are doing some work of some sort, rather than just being the display.
 
Marshal
Posts: 67362
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
See this article for an explanation of how to properly structure a Java web app.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Swastik Dey wrote:You need to create the mapping inside web.xml



What is that myservlet? Because when i added the code in my web.xml its been underlined with red color The word 'myservlet' is not correctly spelled.
 
Dave Tolls
Rancher
Posts: 4492
47
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Seriously, don't expose your JSP pages.
You're doing the right thing hiding them inside WEB-INF so they can't be accessed directly.
Don't mess that up now by exposing them as pretend servlets.

There is no need to include the JSP in that web.xml at all.
Just forward to "/WEB-INF/yourjsp.jsp" from your servlet when it's done whatever processing is needed.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Dave Tolls wrote:Seriously, don't expose your JSP pages.
You're doing the right thing hiding them inside WEB-INF so they can't be accessed directly.
Don't mess that up now by exposing them as pretend servlets.

There is no need to include the JSP in that web.xml at all.
Just forward to "/WEB-INF/yourjsp.jsp" from your servlet when it's done whatever processing is needed.



Even i too don't want to expose my jsp files. But how will i access or call them in my application if i am not including them in web.xml. Please let me know.
 
Dave Tolls
Rancher
Posts: 4492
47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, the only thing in your application that needs to access them is a servlet, which would process the request and then forward to the relevant JSP page, as I showed in my previous post.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When i try keeping my Register.jsp file inside WEB-INF folder, How will i do access here. Because when i tried giving the path it throws me error.
 
Tim Moores
Saloon Keeper
Posts: 6194
157
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nothing in WEB-INF can be accessed directly. As both Dave and I have said, you need to use a request dispatcher which would then forward to the JSP.
 
Bartender
Posts: 21723
148
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think it's time for me to point out again that a URL path is not a filesystem path. A URL is a Uniform Resource Locator, and although it does have much the same syntax as a filesystem path, it's not the same.

When you pass a URL request to a webapp server, the server will parse and dissect the URL, using the various extracted parts to locate what is wanted. For example, in "https://coderanch.com:8443/forums/posts/forumx/000000" - which is an imaginary example, you break the URL into:

https: - the transport protocol used (SSL with default port 443)
// - indicates that the following text is a domain hostname
coderanch.com - the domain server name for Coderanch (what DNS looks up)
8443 - overrides the default Well-Known port number for the HTTPS protocol (443) to target the server's port 8443
forums - We'll assume that Coderanch has several different webapps, and that this is the Context name that indicates that the "forums" webapp will be used.

What we are left with is the webapp's resource path: "/forumx/000000". The other stuff was used to route the URL to the webapp. Now the webapp has to use the resource path to determine what to respond with. This is where it gets confusing for most people. Note that the resource path begins with "/". In a Unix-like filesystem, that would indicate the root of the filesystem. But a webapp resource is its own universe, and so it has its own root. That's important, because otherwise Bad People could code a resource like "../../../sensitivedata/social_security_numbers.csv" or worse (accessing the server's own filesystem). Much like a SQL Injection Attack. By rooting the webapp's resources at the root of the WAR, you avoid that problem.

The other thing is that /forumx/000000 may look like a filesystem path, but it isn't. An actual filesystem path would require that forumx should be a directory name, and 000000 would be a filename. More likely, however, the web.xml file (or equivalent Java annotation) would define a servlet to have the logical (resource pathname) of "forumx", and thus, the actual "000000" would be data that forumx could act on. Probably looking up post "000000" in a database, so that the forumx servlet could copy its text to the response datastream.

Where it gets really confusing for most people is when you have file-like assets being accessed via webapp resource paths. That's because the rules for resolving a resource are as follows:

1. Match the resource path against the list of logical servlet paths defined in web.xml (or annotations)

If no match:

2. Match the resource path against the WAR-relative "filesystem path" of a JSP. I quote "filesystem path", since officially a WAR is a JAR file, and thus its contents aren't literally files that standard filesystems can open and read directly).
If a match is made, check the webapp server's JSP cache to see if the JSP has been compiled. If it hasn't, an internal compiler (in Tomcat, it's named JaSPer) will compile the JSP into Java code, producing a servlet. That Java code is then passed to javac to produce a class file which gets added to the JSP cache and added to the webapp's classpath. At that point, the URL is dispatched to the compiled JSP servlet class code just like it would be to a user-coded servlet.

If neither 1 nor 2:

3. Unmatched resource paths will be considered "filesystem paths" (see note, above) for static resources. That is, images, Javascript files, CSS, and so forth. In that case a "default servlet" will simply use getResource() or getResourceAsStream() to open the resource "file" and copy its contents (along with appropriate HTML headers) to the response stream. The Default Servlet is built into the webapp server itself, so you don't have to provide one. Again, note that a resource path is NOT a filesystem path, and especially for a standard (zipped) WAR, which is why getResource() is required to read the data instead of simply using file open commands. Also, if the resource path corresponds to a "directory" and not a "file", then the Default Servlet may, depending on configuration, either construct a "directory listing" web page or simply return an error response. A directory listing, however, is generally considered to be a security risk, as it permits hackers to snoop the WAR's structure.

And, to repeat what everyone else has been saying, the resource path /WEB-INF is persona non grata to the URL resource processing mechanism. As far as incoming URL requests are concerned, it doesn't exist and any attempt to access it or its contents via a URL will return a "404 Not Found" response. Resources under /WEB-INF can only be accessed by webapp code, preferably via getResource()/getResourceAsStream() or mechanisms that emply one of those methods.

So, in sum, to eliminate the ability for a web client to directly access a JSP, you must define a dispatcher servlet whose URL replaces a more direct JSP URL, move the JSP to a location under /WEB-INF, and have the dispatcher servlet forward the request using the JSP's resource path (for example, "/WEB-INF/jsp/myhidden.jsp". Usually the dispatcher servlet will act as an MVC Controller before doing the forward, but that's up to the designer.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok as you say, I have done for other pages. The following is my index page in which i don't have any servlet request. Then how will i hide the register.jsp displaying in my web address bar?

 
Bear Bibeault
Marshal
Posts: 67362
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You didn't read the article I pointed to, did you? You never address a JSP directly -- always go through a controller.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Bear Bibeault wrote:You didn't read the article I pointed to, did you? You never address a JSP directly -- always go through a controller.

I am just going through the article but in my index page I am addressing the jsp directly only right?
 
Bear Bibeault
Marshal
Posts: 67362
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, you are.

What you should be addressing is a servlet controller for the JSP. The JSPs themselves should be hidden behind WEB-INF, which prevents them from being directly served.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So i should keep all my jsp files inside WEB-INF folder and I can call like this?
 
Bear Bibeault
Marshal
Posts: 67362
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Again, no. You never reference the JSP directly like that. You reference the servlet that serves as the JSP's controller. The controller then forwards to the JSP.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then please let me know how will I refer there?
 
Marshal
Posts: 25191
64
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Like Bear already said. Your web page points to a servlet... let's call it Register. That servlet does the work of handling the other fields in the HTTP request, which are maybe the user's name and e-mail address or something like that.  Maybe it adds them to a database table. Then it forwards to a JSP which is going to report back to the requester with the result of registering, or something like that.

If you're still wondering how to have your web page point to a JSP, well, it's time to stop wondering that.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok. Now my .jsp file names are not visible in my web address bar. But for forgot password page when I try to copy paste link from firefox to chrome browser, the exact page opens instead of sign in page. How will I restrict that.
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is it possible to do like have if else in the following code so that copy paste link from one browser to other browser displays home page.

 
Paul Clapham
Marshal
Posts: 25191
64
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That sounds like a new topic. So could you post the question -- with more detail, please -- in a new thread?

(And not in the JSP forum, either, because it sounds like the question is about your controller rather than the code producing HTML for the response.)
 
Gayathri Gayu
Ranch Hand
Posts: 384
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Posted in separate question. :)
 
A timing clock, fuse wire, high explosives and a tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!