This week's book giveaway is in the OO, Patterns, UML and Refactoring forum.
We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line!
See this thread for details.
The moose likes Servlets and the fly likes Security Constraints to allow Links only Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Servlets
Bookmark "Security Constraints to allow Links only" Watch "Security Constraints to allow Links only" New topic
Author

Security Constraints to allow Links only

Stevie Shorey
Ranch Hand

Joined: Dec 10, 2012
Posts: 45

Hey,

I have used <auth-constraint/> in my security constraint to block direct access to servlets in my site.
But to my horror, i cannot even link to them or use them with doPost() etc.

My understanding was that <auth-constraint/> blocked direct access only. How do i circumvent this?

To rehash, i dont want user to enter direct URL (except for the website's home page). The only way the user can access different parts of the website is clicking through links.

Thanks,
Amit Ghorpade
Bartender

Joined: Jun 06, 2007
Posts: 2801
    
    9

So if the task is to have a particular access pattern for the application, you can put in filters and check for referer URL.


SCJP, SCWCD.
|Asking Good Questions|
Stevie Shorey
Ranch Hand

Joined: Dec 10, 2012
Posts: 45

Amit Ghorpade wrote:So if the task is to have a particular access pattern for the application, you can put in filters and check for referer URL.


Does setting up a filter take much effort?
The scope of security for this site is very limited as it is just a project website.
Amit Ghorpade
Bartender

Joined: Jun 06, 2007
Posts: 2801
    
    9

Stevie Shorey wrote:Does setting up a filter take much effort?

Not at all, I am not saying it is dead easy but it is certainly not a biggie.
It is just like any other servlet code with its own special capabilities.
 
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link: http://aspose.com
 
subject: Security Constraints to allow Links only
 
It's not a secret anymore!