• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Preventing access to JSP's without authenticating.

 
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi

I'm using Struts to make a little web app, but I'm having trouble while testing. Even though I have added session protection to my Actions, I haven't been able to stop the browser from skipping authentication and going to any JSP that I want just by typing in the URI.

What can I do to stop that from happening? I also have access levels, so the user doesn't have just to be authenticated, but have permission to access that page as well.

Thanks in advance for your help.

HP
 
Ranch Hand
Posts: 180
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi
Before executing the ActionClass , there should be a check on the login info also. I guess you have done that.posting a little snippet of code from your side would be useful.
if ( (loginForm == null) || (loginForm.getUserid() == null) || (loginForm.getUserid().trim() == "") || xyxForm==null )
{
session.invalidate();
return mapping.findForward("login");
}
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If your JSPs are in a publicly accessible directory, have them check that they're accessed through the Action only, and not directly. This could be done be setting a particular request attribute in the Action, and then checking for that in the JSP.
 
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can also make it impossible for a user to access a JSP directly and force them to always go through a Struts action by putting the following in your web.xml file:
 
Hector Pertierra
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello again, thanks for you responses.

RoshaniG, I'm confused, because I thought Actions executed only when I submited my form... So where should I put that?

Ulf, how do I put JSP's in a non-accesible directory? And also, how do I make them only accessible through the Action??

Merrill, so that Action would make all the forwards?? Where in that code do I specify which Action to go through first.

Thanks a lot!!! I hope I'm not asking questions too obvious
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There's really no reason a user of your web application ever has to access a JSP directly from a URL like "/myApp/myJsp.jsp". It is often recommended as a best practice to "hide" the jsps behind an Action URL. So, instead of the above URL, use "/myApp/myAction.do". You would then simply make myAction forward to myJSP. Most of the time, you need to do some processing such as loading lists of options or retrieving database values of some sort before displaying JSP anyway. Even when you don't, it's quite possible to specify an action that does nothing but forward to a JSP. For example:

The above entry simply allows you to display myJsp.jsp by entering the URL "myAction.do".

If you want a truly secure application, this act of "hiding" your JSPs is an important step.
[ April 06, 2007: Message edited by: Merrill Higginson ]
 
Hector Pertierra
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok, I think I can get it right now.

Thank you all!
 
Don't play dumb with me! But you can try this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic