I have created 4 jsp pages..namely login.jp,page2.jsp,page3.jsp and page4.jsp.
When the user clicks on next button of login.jsp then he is redirected to page1.jsp,likewise
the next button on page2 takes to page3 and of page3 takes to page4.jsp.
However if instead of that if he simply types the url of page3.jsp in the browser
he gets redirected to it.I want to restrict the user from doing this.
Could anyone kindly help as to what code do i need to include in my jsp page
to include this functionality.
Thanks for the quick reply.I am really new to jsp and servlets.It will be really kind of you if you can elaborate a little more on Servlet Controller.If possible kindly provide some snippet.Looking forward to your help.
If you are new to JSP and Servlets, getting off onto the right foot and avoiding establishing bad habits is important. Rule #1: no Java code in JSPs! That's a bad practice that is almost 10 years out-of-date now, but is still inexplicably prevalent. Don;t fall into that trap!
You might find this article helpful in understanding exactly how JSPs operate. And this article explains controllers and proper web application structure.
I have two jsp files(page1.jsp and page2.jsp) that i have placed in the "WebContent\WEB-INF\jsp" folder.
I wrote servlet class Homeservlet inorder to provide access to page1:-
When i run the servlet from browser as http://localhost:8080/website/HomeServlet..then i am able to get the Page1.However on clicking the the ok button on Page1,i am not able to navigate to the next page i.e. Page2.Its showing HTTP 404 error(The requested resource (/Page2.jsp) is not available.)
You are willing to go to page2, but you are mentioning page1
In addition to this, as far as I know anything stored inside WEB-INF, can't be directly accessed by the client. You need an url-mapping for this, and inside that location.replace you need to pass that url.
@Swastik:Thanks for your replies..I tried once again..still its not working for me.I am still getting 404 Error.However i don't think its going to serve my purpose because i don't want the user to get direct access to any jsp page.According to the solution that you provided,the user can still type in the url :-
http://localhost:8080/website/Hello and get direct access to Page2.
Please suggest some way through which i can restrict direct access.Do i need to create Session object?
1. you are telling the actual URL to the browser, which can be seen so there is a security problem.
2. such hard binding is undesirable when code maintenance is concerned.
Now back to your original question,
as Bear said, you can place a controller in between which monitors page accesses and forwards or denies requests based on need.
If you are not getting that, you can set an attribute in the session created by the first JSP and check if it exists in second one, if not redirect. This is one of the simplest way of doing it
although not the best one.
Hope this helps
@Amit:Thanks for the reply.I did follow Bear's advice and wrote a controller servlet to access the first jsp page(Page1.jsp).
However i don't have any idea as to how to access the second page(Page2.jsp) on clicking next button of Page1.jsp.Does it require writing another controller servlet for Page2.jsp?
Kindly help as i want to implement it in the best possible way.
One servlet should be good enough to handle both the requests, and that is the real use of a controller servlet. As in the first request you are simply invoking the servlet, but when you call the servlet next time to show Page2, you may call it with some query parameters, and accordingly handle the request in servlet.
@Swastik:Thanks for the reply.However the user can still access Page2 directly by typing in the url:-"http://localhost:8080/website/HomeServlet?pgname=Page2".
This should not be the case as we don't want the user to get direct access.
Actually, a more important thing to do would be to GET RID OF THE LOGIN URL!!!
This is a primary weakness on most Do-it-Yourself security systems. Many - probably most - of them expect people to use the system honestly. Bad Guys aren't honest, and they'll bypass the login page in a heartbeat if it gets them to the goodies.
Unless you have a nice big security budget and a bunch of paranoid professionals to ensure that each and every thing ever done to the webapp over its entire lifespan is secure, you're far better off using the J2EE builtin container-managed security system.
You do this be defining the login/loginfail JSPs in web.xml. These pages are never directly referenced by URL, Instead, when a user attempts to access a secured URL, the server takes over and presents the login page. Only if the login succeeds will the application forward to the application JSP and code. Otherwise the server will block the attempt and no URL games will get around it.
That will address the security problems and the best thing about it is that no application coding is required to make it work.
Of course, if you have a "page 2" that requires data from "page 1", that's not a security issue, it's a workflow issue. About the best you can do on that is to make page 2 reject any attempts to operate on missing data - possibly by redirecting to page 1 if the required info wasn't set up. The ability to directly access web pages can be a problem, but it's also a blessing, since directly-accessible pages can be bookmarked so that frequently-used functions can be rapidly accessed. When augmented by container-managed security, you can make an app both flexible AND secure.
Sources may include data from the Fakebook Research Foundation with support from Gargle University
you should never use JS to perform navigation. I would have done below to perform the same thing.
i)make page1 as welcome file and create a session in this page(oneliner code).
ii)No need to write JS and onclick handler. Make and simple anchor and put css to look like button. put href="/controller?pagename=page2" in 2nd page, same repeat for other JSP.
iii)Simply you make a Servlet controller and pass a querystring("pagename") and check preexisting session like(httpsession session=request.getSession(false)), if exist then forward to pagename parameter value otherwise create a new session and forward to welcome page.
and your are done. Not sure whether it is a best approach but better.
Hey, I'm supposed to be the guide! Wait up! No fair! You have the tiny ad!