Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Preventing access to JSP's without authenticating.

 
Hector Pertierra
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

I'm using Struts to make a little web app, but I'm having trouble while testing. Even though I have added session protection to my Actions, I haven't been able to stop the browser from skipping authentication and going to any JSP that I want just by typing in the URI.

What can I do to stop that from happening? I also have access levels, so the user doesn't have just to be authenticated, but have permission to access that page as well.

Thanks in advance for your help.

HP
 
RoshaniG Gopal
Ranch Hand
Posts: 180
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi
Before executing the ActionClass , there should be a check on the login info also. I guess you have done that.posting a little snippet of code from your side would be useful.
if ( (loginForm == null) || (loginForm.getUserid() == null) || (loginForm.getUserid().trim() == "") || xyxForm==null )
{
session.invalidate();
return mapping.findForward("login");
}
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If your JSPs are in a publicly accessible directory, have them check that they're accessed through the Action only, and not directly. This could be done be setting a particular request attribute in the Action, and then checking for that in the JSP.
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can also make it impossible for a user to access a JSP directly and force them to always go through a Struts action by putting the following in your web.xml file:
 
Hector Pertierra
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello again, thanks for you responses.

RoshaniG, I'm confused, because I thought Actions executed only when I submited my form... So where should I put that?

Ulf, how do I put JSP's in a non-accesible directory? And also, how do I make them only accessible through the Action??

Merrill, so that Action would make all the forwards?? Where in that code do I specify which Action to go through first.

Thanks a lot!!! I hope I'm not asking questions too obvious
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There's really no reason a user of your web application ever has to access a JSP directly from a URL like "/myApp/myJsp.jsp". It is often recommended as a best practice to "hide" the jsps behind an Action URL. So, instead of the above URL, use "/myApp/myAction.do". You would then simply make myAction forward to myJSP. Most of the time, you need to do some processing such as loading lists of options or retrieving database values of some sort before displaying JSP anyway. Even when you don't, it's quite possible to specify an action that does nothing but forward to a JSP. For example:

The above entry simply allows you to display myJsp.jsp by entering the URL "myAction.do".

If you want a truly secure application, this act of "hiding" your JSPs is an important step.
[ April 06, 2007: Message edited by: Merrill Higginson ]
 
Hector Pertierra
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, I think I can get it right now.

Thank you all!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic