aspose file tools*
The moose likes Servlets and the fly likes Need Solution for accesing Action servlet only on Submit Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Need Solution for accesing Action servlet only on Submit" Watch "Need Solution for accesing Action servlet only on Submit" New topic
Author

Need Solution for accesing Action servlet only on Submit

shiva murugan
Greenhorn

Joined: Jan 08, 2010
Posts: 17
Hi All,

I am trying to provide security solution for a Cross site request forgery issue.

Solution:
*********
1 using a filter, generated a Random number using Secure Random class, and add the same in a session variable

2 In a JSP, i have added a Hidden variable that gets populated with the Value generated by the filter class

3 On submitting the page, in the action servlet, i am checking whether the value generated by the filter is same as the value currently in the JSP hidden variable, if same i will process the request, if not i send him a error page.

Note : For each and every hit(from page to page), a new random number is genrated.

Problem:
********
This works 100% fine when i am trying to access any .jsp files, but this does not work when i try to access .do service.

I knew that, on accessing a .do file, it first calls the controller, and based on the controller only the view page loads. since i am checking in the action servlet for the hidden variable that is not populated in JSP at that point of time, i am getting a error page, even though a valid course of action takes place.

Any solution for this, i am very Confused, any sort of help would he highly helpfull.



Regards
Siva
shiva murugan
Greenhorn

Joined: Jan 08, 2010
Posts: 17
I wish only to do a check on submitting the request, but not on while loading the page.
ramprasad madathil
Ranch Hand

Joined: Jan 24, 2005
Posts: 489

1 using a filter, generated a Random number using Secure Random class, and add the same in a session variable

2 In a JSP, i have added a Hidden variable that gets populated with the Value generated by the filter class

3 On submitting the page, in the action servlet, i am checking whether the value generated by the filter is same as the value currently in the JSP hidden variable, if same i will process the request, if not i send him a error page.

Note : For each and every hit(from page to page), a new random number is genrated.


If the filter generates a token every time and stores it in session, how would that value be equal to the hidden param value coming in the request? Remember that variable was set in the previous request and flushed out from the jsp in the previous response and that's how its coming in in the current request.

Also if you set that right, you will have to account for the 'first' request that will not have a incoming hidden variable.

ram.
shiva murugan
Greenhorn

Joined: Jan 08, 2010
Posts: 17
The scenario is, the value is generated in the Filter class, and it is added in the session, once the JSP loads the value from the session is assigned to the Hidden variable in the JSP, on submitting the form, in the action class, the value generated in the Filter class is compared with the hidden variable.

if both the value is same i will process the submitted form, if not i will send a error page.

On successful submission, a request is dispatched, which again passes through the Filter class, and the cycle continues.

This is working when i am accessing the .jsp page in the URL, but in the case of the .do service, before the generated value is assigned to a hidden variable, it is been verified in the action class, any suggestion in how to tackle this problem

Siva
Ravishanker kumar
Ranch Hand

Joined: Jul 20, 2006
Posts: 53
according to my understanding, your filter should intercepts each response, before sending response to client you are generating a random number and saving it in session. Now on jsp page your are saving same random number as hidden variable and when user submit the request you validate the random number in action/servlet. Please check following in your application,
Please check whether your filter is not configured for each(including *.do) url or not.
If yes, check whether you are getting same random number on jsp file or not. This you can check using view source. If yes it should be present when user submit the request gain.

Anyway, If you are using struts, you can use ready made api for same functionality(Called tokenizer pattern). Struts 1.x provides following api in Action class for the same purpose
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Need Solution for accesing Action servlet only on Submit