aspose file tools*
The moose likes JSP and the fly likes Hack proofing JSP Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Hack proofing JSP" Watch "Hack proofing JSP" New topic
Author

Hack proofing JSP

Debashish Chakrabarty
Ranch Hand

Joined: May 14, 2002
Posts: 230

Hi Ranchers,
I dunno if this is too elemntary questions , still..I have a JSP (say firstPage.jsp that will have a button (or maybe hyperlink) to call another JSP (say secondPage.jsp and pass to it some parameter (either through query-string or hidden form field).
What my customer wants is that somebody who types in the URL of secondPage.jsp directly (correct with query-string) should not be able to get past. The one and only way to secondPage.jsp should be through firstPage.jsp.
How can I ensure that? Will checking the HTTP Referrer in secondPage.jsp suffice?
Thanks for your time.


Debashish
SCJP2, SCWCD 1.4, PMP, ITIL Foundation
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Another option could be to put something into the HttpSession while processing firstPage.jsp, which indicates to secondPage.jsp that the user came via firstPage.jsp. (this "stuff" needs to be removed from the HttpSession by secondPage.jsp as a sort of "replay attack defense")
This way you don't have to rely on the HTTP client (= web browser) to send correct headers.


Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
SJ Adnams
Ranch Hand

Joined: Sep 28, 2001
Posts: 925
no.
you should really have the servlet call an entitlements object before processing the request.
for a typical architecture the servlet might run the user entitlement (is the user allowed to access this page? query this data?) then maybe user preferences (which language? time format? default search parameters etc.) then actually perform the 'action' of the submit request.
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Simon is absolutely correct about the use of a controller (the servlet). However, if you're dealing with a small, simple application which doesn't need maintenance then it's perfectly acceptable to "go low" and drop the controller.
 
wood burning stoves
 
subject: Hack proofing JSP