Discussions

Web tier: servlets, JSP, Web frameworks: how to deny any GET access to JSPs?

  1. how to deny any GET access to JSPs? (11 messages)

    Hi
    may be this is a common problem...but i am not able to find a good soln...

    I want to allow access only to *.do but no GET requests to
    .jsp...pls dont tell me put the JSPs into WEB-INF..i don want to.

    So whats the soln?

    thanks in advance

    -ram

    Threaded Messages (11)

  2. May be you can use method="post" in your jsp.
    So that the parameters attached to the url is hidden.
  3. That's an interesting question.
    These answers are not fully thought through, but may be useful as pointers.

    Two ideas:
    1: Add authentication / authorisation controls such that the JSPs can be accessed only with certain credentials, and set those credentials in the controllers. Any requests for JSPs coming in direct from browsers would be rejected as unauthorised, but those requests for JSPs included from controllers would be accepted.
    2: If you can't or don't want to use the containers auth controls, roll your own simple one. Have every controller add a bean to the request context and have every JSP test for that bean. If the bean exists execute the JSP normally, if not redirect the browser to some appropriate action. Again requests for JSPs direct from the browser would lack the required bean while requests through the controllers would work normally.

    As a twist on either of these ideas you could probably subclass the Servlet to set the credentials or add the auth token bean, meaning you would not have to change each controller.
    Also you may be able to set an error handler directive in the web.xml so that a 'not authorised' error is redirected to /start.do or whatever is appropriate.

    I'd be interested to hear what you decide with this. Can you post here when you have decided and tested?

    Brian.
  4. Very Simple...?[ Go to top ]

    Can't you use something like..
    "request.getMethod()" and then simply deny access if this method returns "GET"
    AM i not right?
  5. Very Simple...?[ Go to top ]

    Can't you use something like..
    "request.getMethod()" and then simply deny access if this method returns "GET"
    AM i not right?
    That may not work. The JSP will be executed after the action/controller is executed. The request to the .do URL for the controller may be a GET request.
    What you suggest would stop the JSP from executing after the controller if the controller was called using a GET.

    I think also I am looking at the requirement as being slightly more than what was stated. I guess the requirement is to make sure the JSP is executed only after the controller is executed and not independently of the controller. Typically that would be by the browser asking to GET the JSP directly, but it could also be by the browser POSTing to the JSP without going through the controller.

    So my suggestions are aimed at making sure the JSP is executed only after the controller and not independently of the controller, no matter the HTTP method involved.

    Brian.
  6. use a filter[ Go to top ]

    Just out of my head - might be wrong:

    Code a javax.servlet.Filter that always sends a SC_FORBIDDEN (403) to the browser and map it to all *.jsp resources.

    As far as I know, the filter chain is only built and called once. So if you call a JSP directly, the filter will be called and responds with a 403. If you call a struts action, the filter will not be included in the chain since it's mapping doesn't match. When the action includes the JSP internally, the filter won't be called either.

    Give it a try,
    Thomas
  7. use a filter[ Go to top ]

    Thanks to all for your responses!

    I think the filter concept sounds very eligent. How do i return the 403..whats the syntax?
    But it seems filters are allowed only in servlet2.3
    Does any one know if weblogic6.1 with sp4 use J2EE1.3 or not?...and how
    does one find out which J2EE is been used...in general?

    I am sorry if this is a little offbeat post...

    thanks-ram
  8. use a filter[ Go to top ]

    Below is some simple code for a filter.

    Looking though the specs it is not clear exactly when the filter will be applied, so you will have to test it to be sure.

    Brian.
    package tests;

    import java.io.IOException;

    import javax.servlet.Filter;
    import javax.servlet.FilterChain;
    import javax.servlet.FilterConfig;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.http.HttpServletResponse;

    public class ForbiddenFilter implements Filter {
    public void destroy() {

    }
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    try {
    ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN);
    } catch (ClassCastException ex) {
    throw new ServletException("Only HTTP requests are permitted for this resource type");
    }
    }
    public void init(FilterConfig arg0) throws ServletException {

    }
    }
  9. use a filter[ Go to top ]

    Take the response, cast it to HttpServletResponse and call

    sendError(HttpServletResponse.SC_FORBIDDEN);

    You can also specify an error message as a second parameter or use SC_NOT_FOUND if you want to hide the existence of the JSP completely, because if you send SC_FORBIDDEN it is clear that the resource exists but must not be accessed.

    You're right, this only works with Servlet API 2.3, but this shouldn't be a problem on modern servlet containers.

    Cheers,
    Thomas
  10. use a filter[ Go to top ]

    Take the response, cast it to HttpServletResponse and call

    sendError(HttpServletResponse.SC_FORBIDDEN);

    on it. You can specify an error message as a second parameter as well. Or you can use SC_NOT_FOUND instead of SC_FORBIDDEN to hide the JSPs completely, since sending a forbidden tells the surfer that there actually IS a resource with that URI but that he mustn't access it.

    You're right that the filter solution only works with Servlet API 2.3 which shouldn't be a problem since modern servlet containers should support this.

    Cheers,
    Thomas
  11. use a filter[ Go to top ]

    Thanks a lot guys that worked well! and i really love the concept of filters.
    I am planning to do some security stuff..like checking if user has logged in
    If so i want to forward it to the struts action.Hope this will work!

    thanks
    -ram
  12. Ur requirement seems small, so
    a simplistic model would be to
    Add some credentials( cud be a very simple user related object, or session id)
    and use a bean to check whether it is present where ur expecting it.