• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Need Solution for accesing Action servlet only on Submit

 
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I am trying to provide security solution for a Cross site request forgery issue.

Solution:
*********
1 using a filter, generated a Random number using Secure Random class, and add the same in a session variable

2 In a JSP, i have added a Hidden variable that gets populated with the Value generated by the filter class

3 On submitting the page, in the action servlet, i am checking whether the value generated by the filter is same as the value currently in the JSP hidden variable, if same i will process the request, if not i send him a error page.

Note : For each and every hit(from page to page), a new random number is genrated.

Problem:
********
This works 100% fine when i am trying to access any .jsp files, but this does not work when i try to access .do service.

I knew that, on accessing a .do file, it first calls the controller, and based on the controller only the view page loads. since i am checking in the action servlet for the hidden variable that is not populated in JSP at that point of time, i am getting a error page, even though a valid course of action takes place.

Any solution for this, i am very Confused, any sort of help would he highly helpfull.



Regards
Siva
 
shiva murugan
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I wish only to do a check on submitting the request, but not on while loading the page.
 
Ranch Hand
Posts: 489
Eclipse IDE Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

1 using a filter, generated a Random number using Secure Random class, and add the same in a session variable

2 In a JSP, i have added a Hidden variable that gets populated with the Value generated by the filter class

3 On submitting the page, in the action servlet, i am checking whether the value generated by the filter is same as the value currently in the JSP hidden variable, if same i will process the request, if not i send him a error page.

Note : For each and every hit(from page to page), a new random number is genrated.



If the filter generates a token every time and stores it in session, how would that value be equal to the hidden param value coming in the request? Remember that variable was set in the previous request and flushed out from the jsp in the previous response and that's how its coming in in the current request.

Also if you set that right, you will have to account for the 'first' request that will not have a incoming hidden variable.

ram.
 
shiva murugan
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The scenario is, the value is generated in the Filter class, and it is added in the session, once the JSP loads the value from the session is assigned to the Hidden variable in the JSP, on submitting the form, in the action class, the value generated in the Filter class is compared with the hidden variable.

if both the value is same i will process the submitted form, if not i will send a error page.

On successful submission, a request is dispatched, which again passes through the Filter class, and the cycle continues.

This is working when i am accessing the .jsp page in the URL, but in the case of the .do service, before the generated value is assigned to a hidden variable, it is been verified in the action class, any suggestion in how to tackle this problem

Siva
 
Ranch Hand
Posts: 53
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
according to my understanding, your filter should intercepts each response, before sending response to client you are generating a random number and saving it in session. Now on jsp page your are saving same random number as hidden variable and when user submit the request you validate the random number in action/servlet. Please check following in your application,
Please check whether your filter is not configured for each(including *.do) url or not.
If yes, check whether you are getting same random number on jsp file or not. This you can check using view source. If yes it should be present when user submit the request gain.

Anyway, If you are using struts, you can use ready made api for same functionality(Called tokenizer pattern). Struts 1.x provides following api in Action class for the same purpose
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic