aspose file tools*
The moose likes JSP and the fly likes Deny access to a JSP page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Deny access to a JSP page" Watch "Deny access to a JSP page" New topic
Author

Deny access to a JSP page

Siripa Siangklom
Ranch Hand

Joined: Jan 26, 2004
Posts: 79
Hi guys,
How can one deny access to a certain JSP directly from a web browser? i don't want users to be able to directly access a JSP by typing its URL in a web browser.?
Thanks
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8919

You can put the JSP under the WEB-INF directory but be warned that this does not work in all containers. Works with Tomcat.


Groovy
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
If I remember correctly, you can do something like

in your web.xml, which prevents any HTTP requests to access the specified JSP file(s), but still allows a servlet or another JSP page to forward the request to be processed by the "secure" JSP.


Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8919

Check 4. Protect JSPs Behind WEB-INF
http://www.onjava.com/lpt/a/2832
Winston Smith
Ranch Hand

Joined: Jun 06, 2003
Posts: 136
As usual, there are so many ways to approach the problem. Here is something I've used before for "lightweight protection":
You can use a session variable to set a "flag" for the client. So, for example, if the client logs into the site properly, create a session variable isLogged and set it to true (the value actually doesn't matter in this simple example since you're just going to check if it exists -- for more security, you can check the value). On each page, test isLogged to see if it exists. If it is null, this means the client has not gone through the proper process to access the page.
So, in effect, if I simply cut and paste the url, when I access the page, you will check the session variable isLogged, which will not exist so you will deny me access.
WS
[ March 12, 2004: Message edited by: Winston Smith ]

for (int i = today; i < endOfTime; i++) { code(); }
Hans Bergsten
Author
Ranch Hand

Joined: Dec 01, 2003
Posts: 106
Originally posted by Lasse Koskela:
If I remember correctly, you can do something like

in your web.xml, which prevents any HTTP requests to access the specified JSP file(s), but still allows a servlet or another JSP page to forward the request to be processed by the "secure" JSP.

This is the best solution IMHO.


Hans Bergsten, hans@gefionsoftware.com<br />Author of O'Reilly's<br />- JavaServer Pages,<br />- JavaServer Faces<br /><a href="http://www.hansbergsten.com/" target="_blank" rel="nofollow">http://www.hansbergsten.com/</a>
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Deny access to a JSP page