File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes Preventing Bookmarks Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Preventing Bookmarks" Watch "Preventing Bookmarks" New topic
Author

Preventing Bookmarks

Dushy Inguva
Ranch Hand

Joined: Jun 24, 2003
Posts: 264
Hi,

I want to prevent the user from using bookmarked links to access pages deep in my application.

When a bookmarked link is accessed, my application might throw an error if that page expects to find a previously initialized session scope bean. Yes I am using JSF, but I think this post is more relevant in this forum.

Now, I am trying to write a filter to prevent such occurances. I have a request.getSession().isNew()

The problem is, when a user visits a bookmarked link, the server presents the login form (my filter is never invoked here), by the time the user enters username and password and logs in, the session is already created and the session.isNew() returns with a false.

Is there any way around this?

Thanks,
Dushy


SJCP, SCBCD, SJCD, SCDJWS, SCEA (Part I)
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

I do this by putting an object in session after a successful login.

Each page (using a filter) checks for the existance of that object.
If it's not there, then I forward the user to the login page.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

No. In fact, some of the most successful security exploits on the Internet have been accomplished because a person (or program) can throw any text it likes at your server.

If you have deep-content pages interesting enough to bookmark, you should welcome the user, not thwart him/her. You can't control people's browers anyway. The best you can do anyway is synthesize temporary URIs that become meaningless when used at a later time.

I understand that you may need some context, however. Where possible, I recommend using wrapper services so as to minimize the manual maintenance of this aspect. That is, use container-based authorization rather than coded-in login logic, filters to detect lack of defined resources and create them (or redirect to a page where they can be created) and so forth.

As a last resort, custom JSP tags/servlet frontend logic can be used, but the first time you forget to include one on a newly created page, you've blown a hole in your system.


Customer surveys are for companies who didn't pay proper attention to begin with.
Dan Novik
Ranch Hand

Joined: Jan 26, 2005
Posts: 39
You can close the direct access to your "internal" pages via filters.
Rigel Kentaurus
Greenhorn

Joined: Feb 09, 2005
Posts: 11
Originally posted by Dushy Inguva:
Hi,

I want to prevent the user from using bookmarked links to access pages deep in my application.

When a bookmarked link is accessed, my application might throw an error if that page expects to find a previously initialized session scope bean. Yes I am using JSF, but I think this post is more relevant in this forum.

Now, I am trying to write a filter to prevent such occurances. I have a request.getSession().isNew()

The problem is, when a user visits a bookmarked link, the server presents the login form (my filter is never invoked here), by the time the user enters username and password and logs in, the session is already created and the session.isNew() returns with a false.

Is there any way around this?

Thanks,
Dushy


Don't try to control your users.. you can't.

A better approach would be to check for that session object that you need, and if not found redirect the user to the main page, or to the page where that session object is created, then even if the user bookmarks page:
http://yourpage.com/productResults he would be redirected to, say, http://yourpage.com/index, and only after he did the valid navigation you have decided for your site he would be able to enter that second results page.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Preventing Bookmarks