File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JSP and the fly likes Securing email forms Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Securing email forms" Watch "Securing email forms" New topic

Securing email forms

Jason Kwok
Ranch Hand

Joined: Mar 31, 2005
Posts: 126

First off, I'd like to apologise if this isn't the appropriate forum to present my problem. Basically, I have a form on a jsp page that posts email information to a servlet, that sends email using JavaMail.

My problem is that it's just a form, and there is nothing to prevent the form from being abused. The destination email address is fixed and only known to the servlet, I'm mainly concerned about people sending mass email through this form with no way of preventing it.

I was thinking of making a verification image, perhaps by using JCaptcha, and was wondering if that was the best way to go about securing a form like this? Or, are there easier alternatives to get the job done?

Ben Souther

Joined: Dec 11, 2004
Posts: 13410

You'd have to tell us a little more about how the form is used.

Do users have to be logged in to use it?
If so, all you would need to do is verify that they have a valid session.

Can they enter email addresses directly or are you getting the email addresses from a database on the back end?

The more we know about your requirements the more likely we will be to be able to give you good advice.

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
That sounds like a "contact me" page on a public web site, correct? In that case, a captcha should be sufficient to cut down on automatically sent mails.
Jason Kwok
Ranch Hand

Joined: Mar 31, 2005
Posts: 126
Ulf is right, it's a contact page on a public website. No login is required, and as such, no sessions are maintained in any way, shape or form at this point.

The destination email is retrieved from the database, and only known internally by the mail servlet. People using this form can only provide their name, reply email address, subject and message.

The form basically is constructed as such, where Mail is my servlet:
I agree. Here's the link:
subject: Securing email forms
It's not a secret anymore!