aspose file tools*
The moose likes Struts and the fly likes Preventing access to JSP's without authenticating. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Preventing access to JSP Watch "Preventing access to JSP New topic
Author

Preventing access to JSP's without authenticating.

Hector Pertierra
Greenhorn

Joined: Jun 06, 2006
Posts: 25
Hi

I'm using Struts to make a little web app, but I'm having trouble while testing. Even though I have added session protection to my Actions, I haven't been able to stop the browser from skipping authentication and going to any JSP that I want just by typing in the URI.

What can I do to stop that from happening? I also have access levels, so the user doesn't have just to be authenticated, but have permission to access that page as well.

Thanks in advance for your help.

HP


I'd be useless without Head First books...
RoshaniG Gopal
Ranch Hand

Joined: May 15, 2006
Posts: 180
Hi
Before executing the ActionClass , there should be a check on the login info also. I guess you have done that.posting a little snippet of code from your side would be useful.
if ( (loginForm == null) || (loginForm.getUserid() == null) || (loginForm.getUserid().trim() == "") || xyxForm==null )
{
session.invalidate();
return mapping.findForward("login");
}


Regards,<br />Roshani
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42289
    
  64
If your JSPs are in a publicly accessible directory, have them check that they're accessed through the Action only, and not directly. This could be done be setting a particular request attribute in the Action, and then checking for that in the JSP.


Ping & DNS - my free Android networking tools app
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
You can also make it impossible for a user to access a JSP directly and force them to always go through a Struts action by putting the following in your web.xml file:


Merrill
Consultant, Sima Solutions
Hector Pertierra
Greenhorn

Joined: Jun 06, 2006
Posts: 25
Hello again, thanks for you responses.

RoshaniG, I'm confused, because I thought Actions executed only when I submited my form... So where should I put that?

Ulf, how do I put JSP's in a non-accesible directory? And also, how do I make them only accessible through the Action??

Merrill, so that Action would make all the forwards?? Where in that code do I specify which Action to go through first.

Thanks a lot!!! I hope I'm not asking questions too obvious
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
There's really no reason a user of your web application ever has to access a JSP directly from a URL like "/myApp/myJsp.jsp". It is often recommended as a best practice to "hide" the jsps behind an Action URL. So, instead of the above URL, use "/myApp/myAction.do". You would then simply make myAction forward to myJSP. Most of the time, you need to do some processing such as loading lists of options or retrieving database values of some sort before displaying JSP anyway. Even when you don't, it's quite possible to specify an action that does nothing but forward to a JSP. For example:

The above entry simply allows you to display myJsp.jsp by entering the URL "myAction.do".

If you want a truly secure application, this act of "hiding" your JSPs is an important step.
[ April 06, 2007: Message edited by: Merrill Higginson ]
Hector Pertierra
Greenhorn

Joined: Jun 06, 2006
Posts: 25
Ok, I think I can get it right now.

Thank you all!
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Preventing access to JSP's without authenticating.