Discussions

Web tier: servlets, JSP, Web frameworks: URGENT: Preventing request from url

  1. URGENT: Preventing request from url (4 messages)

    Hai,
    My situation is, in my STRUTS framework I shouldn't allow users to access a page by directly typing in the url(with/without the parameters) even after he logsin. The user should be allowed to access a page only thru links or form-submit in a page. Can the application identify whether the request came from GET or POST and throw some exception in doGet method?
    Any immediate response would be appreciated.
    Thanks
    Rathi
  2. Preventing request from url[ Go to top ]

    Rathi,
    Yes of course you can do it several ways
    1. The simplest is to allow only POST on specified URL in web.xml using security constraint

             <security-constraint>
    <display-name>Security Constraint</display-name>
    <web-resource-collection>
    <web-resource-name>SomeWebResource</web-resource-name>
    <url-pattern>*.do</url-pattern>
    <url-pattern>your URL pattern</url-pattern>
    <http-method>POST</http-method>
    </web-resource-collection>
    </security-constraint>
    2. You can find out which HTTP method is called in your pages or servlets be calling HttpServletRequest.getMethod()

    3. There is often used aproach to store application form and view jsp pages under WEB-INF directory- so pages can't be accessed directly- url is always hidden and only server side forwards are used, redirection to pages is not used. Application is more consisten, because there is no direct access to wiew or form pages- controller components are accessd first *.do sevlets so data validation and initialization is always guaranteed. This approach is even more secure.

    You can combine all three methods in your app.

    Hope this helps


    Jaroslav Brazda
    Senior Engineer, Systinet

    Phone: +420 272 019 539
    eMail: jaroslav dot brazda at systinet dot com
    icq: 114543450
    http://www.systinet.com
  3. Preventing request from url[ Go to top ]

    We usually prefer #3. Just put the JSPs and related files in WEB-INF. This way you are sure they're not getting to it from the URL.
  4. Also you can use filters for protection. See for example Protect filter
    in JSOS: www.servletsuite.com/servlets.htm
  5. Thank u everybody, for providing me, good suggestion for my problem.
    Rathi