jQuery in Action, 3rd edition
The moose likes JSP and the fly likes how to disable adress bar in explorer Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "how to disable adress bar in explorer " Watch "how to disable adress bar in explorer " New topic

how to disable adress bar in explorer

Syed Saifuddin
Ranch Hand

Joined: Sep 01, 2003
Posts: 130

I am facing a problem that if a user change the value of an argument in the address bar he can see the jsp page which is restricted to him.

Please tell me that is it possible to make address bar readonly or disable or invisible to the user so the application become save.


Thank You & Best Regards,

Syed Saifuddin,
Senior Software Engineer

SAP Oracle AIX & Java Training
Eric Pascarello

Joined: Nov 08, 2001
Posts: 15385
You can not do it

Looks like you need to rethink the server side portion of the code.

Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15302

Here is what I do. I have a Servlet for every single JSP. Sometimes, all the servlet does is forward to the JSP. So my url never shows a .jsp in the address bar. It will only be something like:


Where page maps to a Servlet and the Servlet forwards to whatever JSP I need. Now if you pass parameters in the URL, which you still can, there is nothing you can do to keep people from changing this parameters. What you will have to do is in your Servlet that accepts the request, make sure the parameters that are entered are valid for the request.

GenRocket - Experts at Building Test Data
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63838

If you are relying on the client-side for security, you are doing it wrong. Just hiding the address bar isn't going to prevent anyone from trying to spoof your system.

Take for example an app I am working on. Depending upon roles and ownership rules, different users are allowed to access different sets of records. When a search is performed, only the records that the user is allowed to see are displayed. Clicking on a search result brings up the record's details.

If I relied on the fact that the user can't see a 'forbidden' record to click on it, I'd be doing it completely wrong.

When the request to view a record's details comes in, I check on the server side whether the user has permission to access the record or not. That way, anyone trying to spoof the system by typing in URLs and changing paramters is still unable to view records that they are not supposed to.

I also encrypt the parameter values so that true keys are not exposed on the client side. This makes it harder to spoof URLs as well.

[Asking smart questions] [About Bear] [Books by Bear]
I agree. Here's the link: http://aspose.com/file-tools
subject: how to disable adress bar in explorer
It's not a secret anymore!