The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

Java Answers Forum
Jsp protection

2 replies on 1 page. Most recent reply: Dec 8, 2003 8:40 PM by Jonathon Brozny

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 2 replies on 1 page
John Riggins

Posts: 1
Nickname: meadmaker
Registered: Dec, 2003

Jsp protection Posted: Dec 7, 2003 8:21 PM
Reply to this message Reply
Advertisement
Hi all,

I'm using struts and was wanting to set up my webapp so that noone can type a jsp in the url. I want it so everything has to go through the action classes that I have made. I would like to be able however to type in the index.jsp and login.jsp.

TIA

John R


Senthoorkumaran Punniamoorthy

Posts: 335
Nickname: senthoor
Registered: Mar, 2002

Re: Jsp protection Posted: Dec 8, 2003 5:16 PM
Reply to this message Reply
What I would suggest is subclass the RequestProcessor and do some session validation there. Say when someone logs in store some specific information in the Session about the user. When subsequent request comes, check the session object for the stored information in the Sub classed RequestProcessor. That way someone just can't type in a URL and gain access to the system. Here is something I came up with

public class CustomRequestProcessor extends RequestProcessor {
 
  public CustomRequestProcessor() {
    super();
  }
  protected boolean processPreprocess(HttpServletRequest req, HttpServletResponse res) {
    boolean continueProcess = true;
 
    if (req.getServletPath().indexOf("login")>0 || req.getServletPath().indexOf("Welcome")>0){
      return continueProcess;
    }else{
      HttpSession session = req.getSession(false);
      if (session.getAttribute(IConstants.USER_VIEW_KEY) == null){
        continueProcess = false;
        ForwardConfig config = moduleConfig.findForwardConfig("SessionTimeOut");
        try {
          res.sendRedirect(req.getContextPath() + config.getPath());
        }
        catch (IOException ex) {
        }
      }
    }
    return continueProcess;
  }
}

Jonathon Brozny

Posts: 24
Nickname: jonathon
Registered: Oct, 2003

Re: Jsp protection Posted: Dec 8, 2003 8:40 PM
Reply to this message Reply
Hello, one way to stop anyone from going directly to any of your jsp pages is by putting them into your WEB-INF folder. The WEB-INF folder is not visable to a web client. So in your case put the index.jsp and login.jsp in the root folder of your context and the .jsp pages that you don't want to allow direct access to in /WEB-INF/jsp folder or something.

The other option to limit access to them is by putting them into a folder and making security constraints in your web.xml file for that folder.

Flat View: This topic has 2 replies on 1 page
Topic: multiple heaps Previous Topic   Next Topic Topic: array initialize problem
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use