RE: Controlling Direct Access to jsp pages

Guido Mon, 13 Jan 2003 08:46:23 -0800

IMO these are two bad solutions

  + Setting an attribute can be bypassed doing 
        /page2.jsp?referer=true
  + I am almost sure HTTP headers can be modified easily, so using http
"referer" header may be unsafe...


See David Graham post in this thread to prevent access to any *.jsp file.

Regards from Spain,
Guido.

On Mon, 13 Jan 2003 [EMAIL PROTECTED] wrote:

} Yes, you can use the struts-config.xml, actions or forwards
} but if you don't want struts to know about (!) you can check by setting and
} contextual attribute :
} page1: request.setAttribute("referer", "true")
} page 2: request.getAttribute("referer") = true ?
} 
} or use the http headers : getHeader("referer"); and check if the referer is
} the right one.
} 
} Hopefully it will help,
} fabrice.
} 
} -----Original Message-----
} From: Colquhoun, Adrian [mailto:[EMAIL PROTECTED]]
} Sent: lundi 13 janvier 2003 16:41
} To: [EMAIL PROTECTED]
} Subject: Controlling Direct Access to jsp pages
} 
} 
} 
} Hi
} 
} If I have three pages in my view layer that must be called in sequence e.g.
} 
}  - step1.jsp then
}  - step2.jsp then
}  - step3.jsp
} 
}  How do I ensure that my users do not call step2 and step3 directly via a
} web browser.  Do I need to use a custom tag in pages 2 and 3 to check this
} or is there some way to force all requests for .jsp pages in my application
} to route via the ActionServlet
} 
} Thanks
} 
} Adrian
} 
} 
} =======================================================================
} Information in this email and any attachments are confidential, and may
} not be copied or used by anyone other than the addressee, nor disclosed
} to any third party without our permission.  There is no intention to
} create any legally binding contract or other commitment through the use
} of this email.
} 
} Experian Limited (registration number 653331).  
} Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF
} 
} --
} To unsubscribe, e-mail:
} <mailto:[EMAIL PROTECTED]>
} For additional commands, e-mail:
} <mailto:[EMAIL PROTECTED]>
} 
} --
} To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
} For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
} 


------------------------------------------------------------------------
Guido Garcia Bernardo
[EMAIL PROTECTED]
[EMAIL PROTECTED]
                                        "stat rosa pristina
                                nomine, nomina nuda tenemus."
------------------------------------------------------------------------
http://members.ud.com/services/teams/team.htm?id=D8624419-BFB6-4772-A01A-0045631F979F


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Controlling Direct Access to jsp pages

Reply via email to