File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Prevent URL requested directly from browser Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Prevent URL requested directly from browser " Watch "Prevent URL requested directly from browser " New topic

Prevent URL requested directly from browser

Mike Landis

Joined: Jun 05, 2003
Posts: 21
What is the best way to prevent user to request web application's pages (or actions if Struts based) from browser manually?
E.g. user is using web application and taking it's current url to clipboard. Then user goes e.g. to Google for surfing for a while.
After surfing (s)he pastes web applications url back to browser's address field.
Best technique in web applicaton to prevent this?
Jeroen Wenting
Ranch Hand

Joined: Oct 12, 2000
Posts: 5093
On each valid entrypoint store a flag in the session. On all other pages check for the existence of that flag and forward to the main entry point for the application if it is not there.
Does not prevent people from slipping to another site for a few minutes but does prevent people bookmarking pages inside the application and will cause spidered URLs to be redirected to the frontpage when people click on them in searchengines.

Mike Landis

Joined: Jun 05, 2003
Posts: 21
Ok, thanks!
Has anyone defined a design pattern for that?
David Hibbs
Ranch Hand

Joined: Dec 19, 2002
Posts: 374
Depending on what exactly you're trying to avoid, the EASIEST way may be simply to override the doGet method so that HTTP GET calls all result in a redirect or forbidden result.
A similar alternative is to use
to check whether the request method was get/post.
These of course assume that you're trying to prevent access to the results of a form action, but that seems the most reasonable place to prevent such an action.
Another possibility is to check if the session is new and do something based on that.
if ( request.getSession().isNew() )
// redirect to welcome page
Note of course that the above code could be compiled into a tag, making it easy to put it on any page that you wanted to protect.

"Write beautiful code; then profile that beautiful code and make little bits of it uglier but faster." --The team, Newsletter 039.
I agree. Here's the link:
subject: Prevent URL requested directly from browser
It's not a secret anymore!