You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ben Souther <bs...@fwdco.com> on 2004/11/10 14:27:49 UTC
Re: Preventing users getting accessing to directory contents
in Tomcat
test.html
=======================
<html>
<a href="test.jsp">test.jsp</a>
</html>
test.jsp
=======================
<%=request.getHeader("REFERER")%>
On Wed, 2004-11-10 at 08:17, Paul Taylor wrote:
> please how do I do that ?
> Ben Souther wrote:
>
> >You could check the referrer header to make sure that the request came
> >from start.jsp
> >
> >
> >
> >On Wed, 2004-11-10 at 07:57, Paul Taylor wrote:
> >
> >
> >>Point taken regarding images.
> >>
> >>But is this the only way to protect jsp ?
> >>I have a directory structure as follows
> >>/jsp/feedback/start.jsp
> >>/jsp/feedback/finish.jsp
> >>
> >>I want them to be able to bookmark start.jsp and access it either
> >>through the interface or directly from the url. but I dont want them to
> >>access
> >>finish.jsp directly because it doesnt make any sense as it is is only
> >>shown after processing start.jsp.
> >>
> >> From what your saying I would have to either do
> >>/WEB-INF/feedback/start.jsp
> >>/WEB-INF/feedback/finish.jsp
> >>which would mean they couldnt bookmark anything
> >>
> >>or do
> >>/jsp/feedback/start.jsp
> >>/WEB-INF/feedback/finish.jsp
> >>
> >>which screws up my links and stuff, meaning quite alot of rework and
> >>stuff over the whole site.
> >>
> >>On a similar note, some of my jsps calls a servlet. In my web.xml it is
> >>defined and url mapped as follows
> >> <servlet>
> >> <servlet-name>Controller</servlet-name>
> >> <servlet-class>com.myapp.Controller</servlet-class>
> >> <load-on-startup>0</load-on-startup>
> >> </servlet>
> >> <servlet-mapping>
> >> <servlet-name>Controller</servlet-name>
> >> <url-pattern>/controller</url-pattern>
> >> </servlet-mapping>
> >>
> >>My jsp would then call
> >><form name="feedbackform2" method="post"
> >>action="<%=request.getContextPath()%>/controller">
> >>to call the servlet
> >>
> >>the trouble is the user can type directly into the url
> >>localhost:8080/myapp/controller
> >>
> >>and call the servlet ot of context how do I stop that ?
> >>
> >>
> >>
> >>
> >>
> >>Tim Funk wrote:
> >>
> >>
> >>
> >>>You can't prevent images from being taken.
> >>>
> >>>As for JSP's. Move them to your WEB-INF directory. Then use a servlet
> >>>to validate the incoming parameters and then forward to the JSP.
> >>>
> >>>-Tim
> >>>
> >>>
> >>>Paul Taylor wrote:
> >>>
> >>>
> >>>
> >>>>Thanks works a treat
> >>>>
> >>>>Is there a similar way to prevent the user typing in the url of a
> >>>>partciuar jsp or image and stop them being taken it. Ive looked at
> >>>>security-constraints but this seems to be based on only
> >>>>certain/logged in users gaining access. I have no concept of logged
> >>>>users in my application but I only want them to access pages via the
> >>>>interface rather than the url except for a few pages which they can
> >>>>access via url to allow them to bookmark them.
> >>>>
> >>>>Shapira, Yoav wrote:
> >>>>
> >>>>
> >>>>
> >>>>>Hi,
> >>>>>Add a listings parameter to the DefaultServlet in conf/web.xml with a
> >>>>>param-value of false. IIRC.
> >>>>>
> >>>>>Yoav Shapira http://www.yoavshapira.com
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>>
> >>>
> >>>
> >>>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>
> >>
> >>
> >>
> >
> >
> >
> >
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
[OT] Re: Use of Referer header
Posted by Ben Souther <bs...@fwdco.com>.
On Wed, 2004-11-10 at 12:52, Ben Souther wrote:
> The browser generates the HTTP headers and there are some rules
> governing when they are to be sent.
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
>
> This isn't really Tomcat specific so I'm marking [OT]
> You may find more enthusiastic help on a JSP/Servlet list.
>
> -Ben
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Wed, 2004-11-10 at 12:30, Paul Taylor wrote:
> > I have a WebPage which can be called from two different webpages, and I
> > wanted it to have a back button.
> >
> > Originally I had the calling pages passing a parameter to tell the
> > called page what called it. Then someone pointed
> > out <%=request.getHeader("REFERER")%> to m. This works much better.
> >
> > But I have 2 questions:
> > 1. Where are these header values defined I've not beeen able to find a
> > good source.
> > 2. It worked when coming from my pages but I then tried going to
> > another page (e.g www.sun.com) and then pasting in the url and it just
> > returned null. Does referer only apply when hyperlink from another page ?
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Use of Referer header
Posted by Ben Souther <bs...@fwdco.com>.
The browser generates the HTTP headers and there are some rules
governing when they are to be sent.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
This isn't really Tomcat specific so I'm marking [OT]
You may find more enthusiastic help on a JSP/Servlet list.
-Ben
On Wed, 2004-11-10 at 12:30, Paul Taylor wrote:
> I have a WebPage which can be called from two different webpages, and I
> wanted it to have a back button.
>
> Originally I had the calling pages passing a parameter to tell the
> called page what called it. Then someone pointed
> out <%=request.getHeader("REFERER")%> to m. This works much better.
>
> But I have 2 questions:
> 1. Where are these header values defined I've not beeen able to find a
> good source.
> 2. It worked when coming from my pages but I then tried going to
> another page (e.g www.sun.com) and then pasting in the url and it just
> returned null. Does referer only apply when hyperlink from another page ?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Use of Referer header
Posted by Paul Taylor <pa...@fastmail.fm>.
I have a WebPage which can be called from two different webpages, and I
wanted it to have a back button.
Originally I had the calling pages passing a parameter to tell the
called page what called it. Then someone pointed
out <%=request.getHeader("REFERER")%> to m. This works much better.
But I have 2 questions:
1. Where are these header values defined I've not beeen able to find a
good source.
2. It worked when coming from my pages but I then tried going to
another page (e.g www.sun.com) and then pasting in the url and it just
returned null. Does referer only apply when hyperlink from another page ?
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org