my dog learned polymorphism*
The moose likes JSP and the fly likes Prevent intermediate access to any jsp page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Prevent intermediate access to any jsp page" Watch "Prevent intermediate access to any jsp page" New topic
Author

Prevent intermediate access to any jsp page

neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
Hi,

I have created 4 jsp pages..namely login.jp,page2.jsp,page3.jsp and page4.jsp.
When the user clicks on next button of login.jsp then he is redirected to page1.jsp,likewise
the next button on page2 takes to page3 and of page3 takes to page4.jsp.

However if instead of that if he simply types the url of page3.jsp in the browser
he gets redirected to it.I want to restrict the user from doing this.

Could anyone kindly help as to what code do i need to include in my jsp page
to include this functionality.


Regards
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61773
    
  67

You could track whether the user has already visited the previous pages in session and redirect to the first page that has yet to be visited.

This logic should be in the page controller servlets, not the JSP's themselves. No Java code should ever appear in a modern JSP.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
Hi,

Thanks for the quick reply.I am really new to jsp and servlets.It will be really kind of you if you can elaborate a little more on Servlet Controller.If possible kindly provide some snippet.Looking forward to your help.

Regards.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61773
    
  67

If you are new to JSP and Servlets, getting off onto the right foot and avoiding establishing bad habits is important. Rule #1: no Java code in JSPs! That's a bad practice that is almost 10 years out-of-date now, but is still inexplicably prevalent. Don;t fall into that trap!

You might find this article helpful in understanding exactly how JSPs operate. And this article explains controllers and proper web application structure.
neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
Hi,

Thanks again for the quick reply.I'll go through the links that you have suggested.

Regards
neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
Hi,

I have two jsp files(page1.jsp and page2.jsp) that i have placed in the "WebContent\WEB-INF\jsp" folder.

Page1.jsp





I wrote servlet class Homeservlet inorder to provide access to page1:-




When i run the servlet from browser as http://localhost:8080/website/HomeServlet..then i am able to get the Page1.However on clicking the the ok button on Page1,i am not able to navigate to the next page i.e. Page2.Its showing HTTP 404 error(The requested resource (/Page2.jsp) is not available.)


Kindly help.

Regards
Swastik Dey
Rancher

Joined: Jan 08, 2009
Posts: 1479
    
    6

You are willing to go to page2, but you are mentioning page1


In addition to this, as far as I know anything stored inside WEB-INF, can't be directly accessed by the client. You need an url-mapping for this, and inside that location.replace you need to pass that url.


Swastik
neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
Hi,

Thanks for the reply.By mistake i wrote it here as Page1.In the original code i have written it correctly as:-


Please elaborate a bit on URL-Mapping.It will be really nice of you if you could show me how do i write the url mapping for the code that i have posted previously.

Regards.
Swastik Dey
Rancher

Joined: Jan 08, 2009
Posts: 1479
    
    6

I believe you might have already done url-mapping for your servlet in web.xml. In the same way you need to add url-mapping for your jsp inside web.xml somewhat like this



And in location.replace(" http://localhost:8080/website/Hello");

After making changes in web.xml don't forget to restart the server.
neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
Hi,
I tried what you suggested.However its giving Error that the resource Hello is not found.
Does it mean that i need to write another servlet Hello.java :-



Kindly help.

Regards.
Swastik Dey
Rancher

Joined: Jan 08, 2009
Posts: 1479
    
    6

No, you don't have to, because you are mapping a jsp page to /Hello. Please show us the web.xml.
neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
Hi,

Thanks for the reply.Here's is the web.xml file content


Page1.jsp


Page2.jsp


And HomeServlet.java



Kindly help.

Regards.
Swastik Dey
Rancher

Joined: Jan 08, 2009
Posts: 1479
    
    6

Clear history, cookies etc from browser. Restart tomcat once again, and type the following url directly in the browser and let us know what happens. Otherwise everything looks fine.

http://localhost:8080/website/Hello

neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
Hi,
I am getting the following http error:-

HTTP Status 404 - /website/Hello

type Status report

message /website/Hello

description The requested resource (/website/Hello) is not available.

Apache Tomcat/7.0.11


Regards.
Swastik Dey
Rancher

Joined: Jan 08, 2009
Posts: 1479
    
    6

Did you restart tomcat after changing web.xml, and have you saved Page2.jsp inside website/WEB-INF/jsp? Same things worked for me without any issues.
neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
Hi,

I have restarted the server and the Page2.jsp is present in the required folder..yet am getting the same error.
If possible,do guide.

Regards
Swastik Dey
Rancher

Joined: Jan 08, 2009
Posts: 1479
    
    6

Your entire code worked for me without any changes. The only difference is I am on tomat6. May be we need to find out if something is different on Tomcat7.
Swastik Dey
Rancher

Joined: Jan 08, 2009
Posts: 1479
    
    6

For me it worked on Tomcat 7 as well.
Praveen Kumarji
Greenhorn

Joined: Mar 28, 2011
Posts: 5
you can use session.isNew()
Praveen Kumarji
Greenhorn

Joined: Mar 28, 2011
Posts: 5
Swastik Dey
Rancher

Joined: Jan 08, 2009
Posts: 1479
    
    6

Has it got anything to do with sessions?? Its simply a 404 page not found error.
neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
@Swastik:Thanks for your replies..I tried once again..still its not working for me.I am still getting 404 Error.However i don't think its going to serve my purpose because i don't want the user to get direct access to any jsp page.According to the solution that you provided,the user can still type in the url :-
http://localhost:8080/website/Hello and get direct access to Page2.
Please suggest some way through which i can restrict direct access.Do i need to create Session object?

Regards
Amit Ghorpade
Bartender

Joined: Jun 06, 2007
Posts: 2718
    
    6

First of all I would say using javascript to generate links like that is not a good idea for two reasons
1. you are telling the actual URL to the browser, which can be seen so there is a security problem.
2. such hard binding is undesirable when code maintenance is concerned.

Now back to your original question,
as Bear said, you can place a controller in between which monitors page accesses and forwards or denies requests based on need.
If you are not getting that, you can set an attribute in the session created by the first JSP and check if it exists in second one, if not redirect. This is one of the simplest way of doing it
although not the best one.
Hope this helps


SCJP, SCWCD.
|Asking Good Questions|
neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
@Amit:Thanks for the reply.I did follow Bear's advice and wrote a controller servlet to access the first jsp page(Page1.jsp).

However i don't have any idea as to how to access the second page(Page2.jsp) on clicking next button of Page1.jsp.Does it require writing another controller servlet for Page2.jsp?
Kindly help as i want to implement it in the best possible way.

Regards.
Swastik Dey
Rancher

Joined: Jan 08, 2009
Posts: 1479
    
    6

One servlet should be good enough to handle both the requests, and that is the real use of a controller servlet. As in the first request you are simply invoking the servlet, but when you call the servlet next time to show Page2, you may call it with some query parameters, and accordingly handle the request in servlet.



neha priya
Ranch Hand

Joined: Jul 03, 2010
Posts: 62
@Swastik:Thanks for the reply.However the user can still access Page2 directly by typing in the url:-"http://localhost:8080/website/HomeServlet?pgname=Page2".
This should not be the case as we don't want the user to get direct access.

Regards.
Swastik Dey
Rancher

Joined: Jan 08, 2009
Posts: 1479
    
    6

How come the user knows about this url? Is he/she is going to look into your java script code? If you are worried even for that, keep that inside some .js file.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16308
    
  22

Actually, a more important thing to do would be to GET RID OF THE LOGIN URL!!!

This is a primary weakness on most Do-it-Yourself security systems. Many - probably most - of them expect people to use the system honestly. Bad Guys aren't honest, and they'll bypass the login page in a heartbeat if it gets them to the goodies.

Unless you have a nice big security budget and a bunch of paranoid professionals to ensure that each and every thing ever done to the webapp over its entire lifespan is secure, you're far better off using the J2EE builtin container-managed security system.

You do this be defining the login/loginfail JSPs in web.xml. These pages are never directly referenced by URL, Instead, when a user attempts to access a secured URL, the server takes over and presents the login page. Only if the login succeeds will the application forward to the application JSP and code. Otherwise the server will block the attempt and no URL games will get around it.

That will address the security problems and the best thing about it is that no application coding is required to make it work.

Of course, if you have a "page 2" that requires data from "page 1", that's not a security issue, it's a workflow issue. About the best you can do on that is to make page 2 reject any attempts to operate on missing data - possibly by redirecting to page 1 if the required info wasn't set up. The ability to directly access web pages can be a problem, but it's also a blessing, since directly-accessible pages can be bookmarked so that frequently-used functions can be rapidly accessed. When augmented by container-managed security, you can make an app both flexible AND secure.


Customer surveys are for companies who didn't pay proper attention to begin with.
Amit Ghorpade
Bartender

Joined: Jun 06, 2007
Posts: 2718
    
    6

Swastik Dey wrote:How come the user knows about this url? Is he/she is going to look into your java script code? If you are worried even for that, keep that inside some .js file.

With HTTP GET method, you see the URL in the address bar right?
Rajeev roushan sharma
Ranch Hand

Joined: Jan 28, 2010
Posts: 50
you should never use JS to perform navigation. I would have done below to perform the same thing.
i)make page1 as welcome file and create a session in this page(oneliner code).
ii)No need to write JS and onclick handler. Make and simple anchor and put css to look like button. put href="/controller?pagename=page2" in 2nd page, same repeat for other JSP.
iii)Simply you make a Servlet controller and pass a querystring("pagename") and check preexisting session like(httpsession session=request.getSession(false)), if exist then forward to pagename parameter value otherwise create a new session and forward to welcome page.
and your are done. Not sure whether it is a best approach but better.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Prevent intermediate access to any jsp page