Hi Ranchers, I dunno if this is too elemntary questions , still..I have a JSP (say firstPage.jsp that will have a button (or maybe hyperlink) to call another JSP (say secondPage.jsp and pass to it some parameter (either through query-string or hidden form field). What my customer wants is that somebody who types in the URL of secondPage.jsp directly (correct with query-string) should not be able to get past. The one and only way to secondPage.jsp should be through firstPage.jsp. How can I ensure that? Will checking the HTTP Referrer in secondPage.jsp suffice? Thanks for your time.
Another option could be to put something into the HttpSession while processing firstPage.jsp, which indicates to secondPage.jsp that the user came via firstPage.jsp. (this "stuff" needs to be removed from the HttpSession by secondPage.jsp as a sort of "replay attack defense") This way you don't have to rely on the HTTP client (= web browser) to send correct headers.
no. you should really have the servlet call an entitlements object before processing the request. for a typical architecture the servlet might run the user entitlement (is the user allowed to access this page? query this data?) then maybe user preferences (which language? time format? default search parameters etc.) then actually perform the 'action' of the submit request.
Joined: Jan 23, 2002
Simon is absolutely correct about the use of a controller (the servlet). However, if you're dealing with a small, simple application which doesn't need maintenance then it's perfectly acceptable to "go low" and drop the controller.