Re: Model 2 forwarding issues

Mon, 27 Mar 2000 19:42:42 -0800 

Hi,

Boy..not two seconds after I submit one email, you replied already to a
previous one sent only minutes ago. Talk about service! Gotta love this
list. :)

>Isn't it amazing what a few little characters can do? :-)

Yep. But if you could see the crap we are using now, I think you would
retract the "few". ;) How does 12,000 lines of servlet code grab you for
"minimal" functionality?

>Well, one thing you could do in the action procedure that
>Enroll.do executes is
>make sure the request method was a POST.  That way, an attempt to
>do a GET (as a
>result of returning from a bookmark) will fail.  If this is
>generally the case for
>all action procedures (i.e. they MUST be processing a form), the
>simplest thing to
>do is implement only doPost() in your controller servlet -- have
>doGet() return
>some nice error message saying that you can't return to this page.

Very good point. I never realized that a bookmark uses the get post, but now
that you mentioned it, it makes sense since that is what it saves in the
bookmark.

I said this before...learn something new every day! :)

>Another thing you'll probably want to do is have the controller
>servlet (or the
>servlet container if you're using 2.2 security) check for is a
>valid login when a
>*.do URL is requested.  You'll probably want this anyway, to
>prevent malicious
>attempts to bypass any security you've coded into the JSP pages themselves.

Actually, I did JUST this in the header.inc EVERY page uses on the JSP
site..which isn't deployed yet. During the login process a HttpSession
object is created, and in the header if a page is in the /inside path, I
check to see if the object is created. If it isn't, the user is forwarded
back to the /home.jsp page. Otherwise, proceed as planned. It does work
good. If you type in ANY url in the /inside path, which is our protected
resources, and your not logged in, it returns you to the /home.jsp page.
Same thing with bookmarks. Is this what your talking about? Is this the BEST
security, or is there a way that even this could be hacked?

Thanks again.

===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:

 http://java.sun.com/products/jsp/faq.html
 http://www.esperanto.org.nz/jsp/jspfaq.html
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets

Reply via email to