This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes Make a resource (servlet) inaccessible to a client Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Make a resource (servlet) inaccessible to a client" Watch "Make a resource (servlet) inaccessible to a client" New topic
Author

Make a resource (servlet) inaccessible to a client

Raf Szczypiorski
Ranch Hand

Joined: Aug 21, 2008
Posts: 383
Hi.
I have the following use case: I want to add a user to the system. Right now I have an HTML form with "action" attribute specifying a servlet, which is responsible for the actual processing of the form's parameters and adding the user. However, the servlet is accessible from the client directly. I know I can "hide" the servlet into the WEB-INF / META-INF, but then it would be inaccessible to the form, wouldn't it?
How can I do this?
Thanks.
Himanshu Gupta
Ranch Hand

Joined: Aug 18, 2008
Posts: 598

ARE you using session? If yes then before doing anything you can validate the session.


My Blog SCJP 5 SCWCD 5
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60741
    
  65

Originally posted by Raf Szczypiorski:
However, the servlet is accessible from the client directly.
Right. Otherwise, as you surmised, the form couldn't post to it.

Are you just trying to make sure that the input comes from the form and not typed into the address bar of the browser?

If so, there is a pattern to use:

1) In the page controller for the form page, generated a unique token value. Could be anything, as long as it's uniquely generated each time.

2) Place it in the session.

3) Generate a hidden form field with this token value.

4) When the form is submitted, check that: the session values exists, that the submitted value exists, and that the value matches that in the session. If not, do not process the submission.

5) Remove the session value.
[ October 21, 2008: Message edited by: Bear Bibeault ]

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Raf Szczypiorski
Ranch Hand

Joined: Aug 21, 2008
Posts: 383
Hi. Yes, I want to make sure the input comes only from the form. It can't come from a GET method with prepared URL as I am using POST with this one, so that the data can be sent encrypted (the username, and especially the password). I thought maybe there is a standard way in the specs how to do this one. I will definitely try your suggestions. Thank you for your answers.
 
jQuery in Action, 2nd edition
 
subject: Make a resource (servlet) inaccessible to a client
 
Similar Threads
getResource method
How change internationalization in real time
resolving path to absolute on JRun
How to avoid hardcoded password in JDBC
how to write java web service client