• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

how to disable adress bar in explorer

 
Ranch Hand
Posts: 130
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello

I am facing a problem that if a user change the value of an argument in the address bar he can see the jsp page which is restricted to him.

Please tell me that is it possible to make address bar readonly or disable or invisible to the user so the application become save.

Thankyou
 
author
Posts: 15385
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can not do it

Looks like you need to rethink the server side portion of the code.

Eric
 
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Here is what I do. I have a Servlet for every single JSP. Sometimes, all the servlet does is forward to the JSP. So my url never shows a .jsp in the address bar. It will only be something like:

http://localhost:8080/app/page

Where page maps to a Servlet and the Servlet forwards to whatever JSP I need. Now if you pass parameters in the URL, which you still can, there is nothing you can do to keep people from changing this parameters. What you will have to do is in your Servlet that accepts the request, make sure the parameters that are entered are valid for the request.
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are relying on the client-side for security, you are doing it wrong. Just hiding the address bar isn't going to prevent anyone from trying to spoof your system.

Take for example an app I am working on. Depending upon roles and ownership rules, different users are allowed to access different sets of records. When a search is performed, only the records that the user is allowed to see are displayed. Clicking on a search result brings up the record's details.

If I relied on the fact that the user can't see a 'forbidden' record to click on it, I'd be doing it completely wrong.

When the request to view a record's details comes in, I check on the server side whether the user has permission to access the record or not. That way, anyone trying to spoof the system by typing in URLs and changing paramters is still unable to view records that they are not supposed to.

I also encrypt the parameter values so that true keys are not exposed on the client side. This makes it harder to spoof URLs as well.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic