File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JSP and the fly likes Hack proofing JSP Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of REST with Spring (video course) this week in the Spring forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Hack proofing JSP" Watch "Hack proofing JSP" New topic

Hack proofing JSP

Debashish Chakrabarty
Ranch Hand

Joined: May 14, 2002
Posts: 231

Hi Ranchers,
I dunno if this is too elemntary questions , still..I have a JSP (say firstPage.jsp that will have a button (or maybe hyperlink) to call another JSP (say secondPage.jsp and pass to it some parameter (either through query-string or hidden form field).
What my customer wants is that somebody who types in the URL of secondPage.jsp directly (correct with query-string) should not be able to get past. The one and only way to secondPage.jsp should be through firstPage.jsp.
How can I ensure that? Will checking the HTTP Referrer in secondPage.jsp suffice?
Thanks for your time.

SCJP2, SCWCD 1.4, PMP, ITIL Foundation
Lasse Koskela

Joined: Jan 23, 2002
Posts: 11962
Another option could be to put something into the HttpSession while processing firstPage.jsp, which indicates to secondPage.jsp that the user came via firstPage.jsp. (this "stuff" needs to be removed from the HttpSession by secondPage.jsp as a sort of "replay attack defense")
This way you don't have to rely on the HTTP client (= web browser) to send correct headers.

Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
SJ Adnams
Ranch Hand

Joined: Sep 28, 2001
Posts: 925
you should really have the servlet call an entitlements object before processing the request.
for a typical architecture the servlet might run the user entitlement (is the user allowed to access this page? query this data?) then maybe user preferences (which language? time format? default search parameters etc.) then actually perform the 'action' of the submit request.
Lasse Koskela

Joined: Jan 23, 2002
Posts: 11962
Simon is absolutely correct about the use of a controller (the servlet). However, if you're dealing with a small, simple application which doesn't need maintenance then it's perfectly acceptable to "go low" and drop the controller.
I agree. Here's the link:
subject: Hack proofing JSP
jQuery in Action, 3rd edition