Hai,
My situation is, in my STRUTS framework I shouldn't allow users to access a page by directly typing in the url(with/without the parameters) even after he logsin. The user should be allowed to access a page only thru links or form-submit in a page. Can the application identify whether the request came from GET or POST and throw some exception in doGet method?
Any immediate response would be appreciated.
Thanks
Rathi

Rathi,
Yes of course you can do it several ways
1. The simplest is to allow only POST on specified URL in web.xml using security constraint

         <security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>SomeWebResource</web-resource-name>
<url-pattern>*.do</url-pattern>
<url-pattern>your URL pattern</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
2. You can find out which HTTP method is called in your pages or servlets be calling HttpServletRequest.getMethod()

3. There is often used aproach to store application form and view jsp pages under WEB-INF directory- so pages can't be accessed directly- url is always hidden and only server side forwards are used, redirection to pages is not used. Application is more consisten, because there is no direct access to wiew or form pages- controller components are accessd first *.do sevlets so data validation and initialization is always guaranteed. This approach is even more secure.

You can combine all three methods in your app.

Hope this helps


Jaroslav Brazda
Senior Engineer, Systinet

Phone: +420 272 019 539
eMail: jaroslav dot brazda at systinet dot com
icq: 114543450
http://www.systinet.com

We usually prefer #3. Just put the JSPs and related files in WEB-INF. This way you are sure they're not getting to it from the URL.

Also you can use filters for protection. See for example Protect filter
in JSOS: www.servletsuite.com/servlets.htm

Thank u everybody, for providing me, good suggestion for my problem.
Rathi