Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Agile forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Deny access to a JSP page

 
Siripa Siangklom
Ranch Hand
Posts: 79
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi guys,
How can one deny access to a certain JSP directly from a web browser? i don't want users to be able to directly access a JSP by typing its URL in a web browser.?
Thanks
 
Pradeep bhatt
Ranch Hand
Posts: 8927
Firefox Browser Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can put the JSP under the WEB-INF directory but be warned that this does not work in all containers. Works with Tomcat.
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I remember correctly, you can do something like

in your web.xml, which prevents any HTTP requests to access the specified JSP file(s), but still allows a servlet or another JSP page to forward the request to be processed by the "secure" JSP.
 
Pradeep bhatt
Ranch Hand
Posts: 8927
Firefox Browser Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Check 4. Protect JSPs Behind WEB-INF
http://www.onjava.com/lpt/a/2832
 
Winston Smith
Ranch Hand
Posts: 136
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As usual, there are so many ways to approach the problem. Here is something I've used before for "lightweight protection":
You can use a session variable to set a "flag" for the client. So, for example, if the client logs into the site properly, create a session variable isLogged and set it to true (the value actually doesn't matter in this simple example since you're just going to check if it exists -- for more security, you can check the value). On each page, test isLogged to see if it exists. If it is null, this means the client has not gone through the proper process to access the page.
So, in effect, if I simply cut and paste the url, when I access the page, you will check the session variable isLogged, which will not exist so you will deny me access.
WS
[ March 12, 2004: Message edited by: Winston Smith ]
 
Hans Bergsten
Author
Ranch Hand
Posts: 106
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Lasse Koskela:
If I remember correctly, you can do something like

in your web.xml, which prevents any HTTP requests to access the specified JSP file(s), but still allows a servlet or another JSP page to forward the request to be processed by the "secure" JSP.

This is the best solution IMHO.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic