Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Make a resource (servlet) inaccessible to a client

 
Raf Szczypiorski
Ranch Hand
Posts: 383
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi.
I have the following use case: I want to add a user to the system. Right now I have an HTML form with "action" attribute specifying a servlet, which is responsible for the actual processing of the form's parameters and adding the user. However, the servlet is accessible from the client directly. I know I can "hide" the servlet into the WEB-INF / META-INF, but then it would be inaccessible to the form, wouldn't it?
How can I do this?
Thanks.
 
Himanshu Gupta
Ranch Hand
Posts: 598
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ARE you using session? If yes then before doing anything you can validate the session.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64830
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Raf Szczypiorski:
However, the servlet is accessible from the client directly.
Right. Otherwise, as you surmised, the form couldn't post to it.

Are you just trying to make sure that the input comes from the form and not typed into the address bar of the browser?

If so, there is a pattern to use:

1) In the page controller for the form page, generated a unique token value. Could be anything, as long as it's uniquely generated each time.

2) Place it in the session.

3) Generate a hidden form field with this token value.

4) When the form is submitted, check that: the session values exists, that the submitted value exists, and that the value matches that in the session. If not, do not process the submission.

5) Remove the session value.
[ October 21, 2008: Message edited by: Bear Bibeault ]
 
Raf Szczypiorski
Ranch Hand
Posts: 383
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi. Yes, I want to make sure the input comes only from the form. It can't come from a GET method with prepared URL as I am using POST with this one, so that the data can be sent encrypted (the username, and especially the password). I thought maybe there is a standard way in the specs how to do this one. I will definitely try your suggestions. Thank you for your answers.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic