File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Question regarding servlet security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Question regarding servlet security" Watch "Question regarding servlet security" New topic
Author

Question regarding servlet security

Arijit De
Greenhorn

Joined: May 16, 2012
Posts: 10
Hi,

I am facing a security issue in IE8.

I have to login roles admin and user.

I first login as a admin in login. And then go to another browser window, and then login and as user.

Then I copy the URL from the IE8 address bar for admin login window and paste it to the use login browser window and it automatically logs in as an administrator.

Can you tell me how to fix this issue?

Thanks,
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60997
    
  65

Read this article and pay particular attention to the PRG pattern. No action should ever be repeatable by simply copying a URL which results in a GET.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Arijit De
Greenhorn

Joined: May 16, 2012
Posts: 10
Read this article and pay particular attention to the PRG pattern. No action should ever be repeatable by simply copying a URL which results in a GET.


I am using a POST request. Not a GET.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60997
    
  65

Pasting the url results in a GET. If it can cause anything but a "get" action to occur, it's wrong.
Arijit De
Greenhorn

Joined: May 16, 2012
Posts: 10
Ok, how do I fix it. The request is a post.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60997
    
  65

Arijit De wrote:The request is a post.

The second request that you are worried about -- the one where the URL is pasted into the browser -- is a GET. As long as you keep insisting that it is a post, we cannot go any further.

Your server-side code should not be written to allow non-get actions to use GET. Are your servlets written to treat GET and POST the same? If so, they're wrong.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Question regarding servlet security