No, the client could spoof a request *parameter*, but not a request
*attribute*.
--
Martin Cooper
Tumbleweed Communications
----- Original Message -----
From: "David M. Karr" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, November 24, 2000 9:18 AM
Subject: Re: Prevent users from bypassing a Controller servlet?
> >>>>> "Gokul" == Gokul Singh <[EMAIL PROTECTED]> writes:
> >> That is, how do I force all
> >> requests to be directed to the Controller servlet even if
> >> the user tries to access a jsp-page (or servlet) directly.
>
> Gokul> Just set an attribute in the request object before passing it to
the jsp. In
> Gokul> the jsp check for this attribute. If it is not present,
redirect/forward to
> Gokul> the controller.
> Gokul> This is just offhand. Someone here may have a better solution.
>
> I would think you would want the Controller to set a Session attribute
> to indicate this. Using a request attribute would still allow the
> client to spoof the request attribute value in the URL.
>
> --
>
============================================================================
===
> David M. Karr ; [EMAIL PROTECTED] ; w:(425)487-8312 ; TCSI & Best
Consulting
> Software Engineer ; Unix/Java/C++/X ; BrainBench CJ12P (#12004)
>
>
___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
