• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Deny access to a JSP page

 
Ranch Hand
Posts: 79
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi guys,
How can one deny access to a certain JSP directly from a web browser? i don't want users to be able to directly access a JSP by typing its URL in a web browser.?
Thanks
 
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can put the JSP under the WEB-INF directory but be warned that this does not work in all containers. Works with Tomcat.
 
author
Posts: 11962
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If I remember correctly, you can do something like

in your web.xml, which prevents any HTTP requests to access the specified JSP file(s), but still allows a servlet or another JSP page to forward the request to be processed by the "secure" JSP.
 
Pradeep bhatt
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Check 4. Protect JSPs Behind WEB-INF
http://www.onjava.com/lpt/a/2832
 
Ranch Hand
Posts: 136
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As usual, there are so many ways to approach the problem. Here is something I've used before for "lightweight protection":
You can use a session variable to set a "flag" for the client. So, for example, if the client logs into the site properly, create a session variable isLogged and set it to true (the value actually doesn't matter in this simple example since you're just going to check if it exists -- for more security, you can check the value). On each page, test isLogged to see if it exists. If it is null, this means the client has not gone through the proper process to access the page.
So, in effect, if I simply cut and paste the url, when I access the page, you will check the session variable isLogged, which will not exist so you will deny me access.
WS
[ March 12, 2004: Message edited by: Winston Smith ]
 
Author
Posts: 106
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Lasse Koskela:
If I remember correctly, you can do something like

in your web.xml, which prevents any HTTP requests to access the specified JSP file(s), but still allows a servlet or another JSP page to forward the request to be processed by the "secure" JSP.


This is the best solution IMHO.
 
reply
    Bookmark Topic Watch Topic
  • New Topic