Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Servlets and the fly likes Safeguarding JSP pages Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Safeguarding JSP pages" Watch "Safeguarding JSP pages" New topic
Author

Safeguarding JSP pages

arunkumar subramanian
Ranch Hand

Joined: Jun 10, 2008
Posts: 32
Hi
I have been trying to safeguard the jsp pages from accessing through URL.
1. I want to put some restrictions on jsp pages based on roles.
After login to the system, Users who does not have privilege to
access a jsp page should get 404 when they access through URL
2. And servlets also.
3. General Restriction on JSP pages, servlets and resources accessing through URL
I have been browsing throught most of the sites but could not get
a solution.
Any ideas
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60738
    
  65

Use a servlet filter to limit access to only authorized users.

Place your JSP pages under WEB-INF. That way, they cannot be directly addressed and can only be accessed through their page controllers.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
arunkumar subramanian
Ranch Hand

Joined: Jun 10, 2008
Posts: 32
Hi

Thanks for the reply. The application was already developed and I'm trying to just implement the security. I tried to move the JSPs under WEB-INF Folder, but since there are so many dependencies, I was not able to. I will give a try using the filters.

Is there some websites to go through for implementing filters?
arunkumar subramanian
Ranch Hand

Joined: Jun 10, 2008
Posts: 32
Thanks. The filter works.

I have come across this issue when using the filter. By default, how to restrict when the user types "http//.../jsp/filename.jsp" in the URL. He has logged on to the application (session is available), but still he should not be allowed to get the resource by URL typing.
I'm opening some windows as popup. The user can still type those in the URL. how to restrict this?
Bosun Bello
Ranch Hand

Joined: Nov 06, 2000
Posts: 1510
As suggested, place them under WEB-INF


Bosun (SCJP, SCWCD)
So much trouble in the world -- Bob Marley
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Originally posted by Bear and Bosun:
As suggested, place them under WEB-INF


Just for the record and to provide an alternate view, I have always disliked this and prefer blocking direct access to JSPs via Apache (ie web server rules)
arunkumar subramanian
Ranch Hand

Joined: Jun 10, 2008
Posts: 32
Is there any other way to safeguard the jsp pages except moving it to WEB-INF folder. As I already said, it takes more time to change all the dependencies.

Possibly I can write a filter to check each jsp based on role. But there are so many which I think I may miss it.

Please help.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Apache?
arunkumar subramanian
Ranch Hand

Joined: Jun 10, 2008
Posts: 32
Thanks.

I'm not sure about using Apache. Can you throw some light on it or send me some links so that I can go through it.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by arunkumar subramanian:

Possibly I can write a filter to check each jsp based on role. But there are so many which I think I may miss it.


If your filter mapping has a url-pattern of *.jsp, you'll catch all of them in one shot.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by David O'Meara:

...I have always disliked this ...


Dave,
Out of curiosity, what don't you like about this approach?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60738
    
  65

Originally posted by Ben Souther:
Out of curiosity, what don't you like about this approach?
Yeah, I'd be interested too. It's the standard and safe way to protect resources from URL access, and requires no extra code.
arunkumar subramanian
Ranch Hand

Joined: Jun 10, 2008
Posts: 32
Bear,

I'm not sure of it. The user has logged in to the application, selecting some link opens up a jsp page. He can grab the jsp page URL and type it in the base window after login. How to prevent this.

I may be wrong here, if I restrict *.jsp using filter won't it prevent everything whether the user has logged in or not?

A code sample would help me if it is not right. I'm trying very hard to do this, but could not get a perfect solution.
arunkumar subramanian
Ranch Hand

Joined: Jun 10, 2008
Posts: 32
<security-constraint>
<web-resource-collection>
<web-resource-name>noAccess</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</auth-constraint>
</security-constraint>

This prevents anyone even if he has logged on. My application is just JSP/Servlet. So I'm forwarding the response to servlet using requestdispatcher.forward("....jsp"); Once I logon the next page doet not come up and instead I get the login page again.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by arunkumar subramanian:
<security-constraint>
<web-resource-collection>
<web-resource-name>noAccess</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</auth-constraint>
</security-constraint>

This prevents anyone even if he has logged on. My application is just JSP/Servlet. So I'm forwarding the response to servlet using requestdispatcher.forward("....jsp"); Once I logon the next page doet not come up and instead I get the login page again.



This isn't a filter, this is a security constraint.
arunkumar subramanian
Ranch Hand

Joined: Jun 10, 2008
Posts: 32
I'm not sure of it. The user has logged in to the application, selecting some link opens up a jsp page. He can grab the jsp page URL and type it in the base window after login. How to prevent this.

I may be wrong here, if I restrict *.jsp using filter won't it prevent everything whether the user has logged in or not?

A code sample would help me if it is not right. I'm trying very hard to do this, but could not get a perfect solution.
arunkumar subramanian
Ranch Hand

Joined: Jun 10, 2008
Posts: 32
I have tried several ways. So security constraint was one way. Filter was another and some others.

If I use a filter, the user has logged in to the application, selecting some link opens up a jsp page. He can grab the jsp page URL and type it in the base window after login. How to prevent this.

I may be wrong here, if I restrict *.jsp using filter won't it prevent everything whether the user has logged in or not?

My application is just JSP/Servlet. So I'm forwarding the response to servlet using requestdispatcher.forward("....jsp"); Once I logon the next page doet not come up and instead I get the login page again.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Originally posted by Bear Bibeault:
Yeah, I'd be interested too. It's the standard and safe way to protect resources from URL access, and requires no extra code.


Safe (in terms of protecting JSPs): yes, standard: no, and that is my main issue. While it is a common practice, I believe the specification is not well defined in this area and therefore the support and behaviour of using the RequestDispatcher to access resources in the WEB-INF directory is not clear.

When moving from one product to another, or even between versions of the same product, you cannot ensure that the behaviour will be consistent from one to the next. I had this issue a long time ago when first playing with the JSP-in-WEB-INF setup, and discovered the hard way (via trawling the source code) that the version of Tomcat I was using did not allow any access to resources in the WEB-INF directory.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60738
    
  65

Originally posted by David O'Meara:
I believe the specification is not well defined in this area


From section SRV.9.5 of the Servlet Specification (2.4):
Also,any requests from the client to access the resources in WEB-INF/ directory must be
returned with a SC_NOT_FOUND(404) response.

I'd argue that that's pretty well-defined. Any container that serves resources out of WEB-INF is clearly broken.

Now if your concern is "some containers are broken"...
[ June 12, 2008: Message edited by: Bear Bibeault ]
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

I think David meant it the other way around.
I remember this from way back.
Some containers didn't allow access, via requestDispatcher, to resources under WEB-INF.

I haven't heard of a container having this issue for a long time.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60738
    
  65

Ahhhhh.... yes, I recall that issue from way back. I stand corrected.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

I'm having trouble explaining this clearly, but I'm referring to the behaviour or logic in the org.apache.jasper.servlet.JspServlet

I'll try again after work.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

Originally posted by Ben Souther:
I haven't heard of a container having this issue for a long time.


But still don't believe that the quote posted by Bear implies or states anything about the behaviour in other cases. It does not say 'Internal access to resources contained within the WEB-INF directory (for example via RequestDisptachers) is allowed and works the same as if the resource existed outside the WEB-INF directory'
 
jQuery in Action, 2nd edition
 
subject: Safeguarding JSP pages
 
Similar Threads
How to restrict direct accessing .jsp and .do in struts webapp
Display IIS based errors for invalid jsp pages
Problem compiling JSPs on Tomcat
cookie and login
Need some beginners book to start jsp