test.html ======================= <html> <a href="test.jsp">test.jsp</a> </html>
test.jsp ======================= <%=request.getHeader("REFERER")%> On Wed, 2004-11-10 at 08:17, Paul Taylor wrote: > please how do I do that ? > Ben Souther wrote: > > >You could check the referrer header to make sure that the request came > >from start.jsp > > > > > > > >On Wed, 2004-11-10 at 07:57, Paul Taylor wrote: > > > > > >>Point taken regarding images. > >> > >>But is this the only way to protect jsp ? > >>I have a directory structure as follows > >>/jsp/feedback/start.jsp > >>/jsp/feedback/finish.jsp > >> > >>I want them to be able to bookmark start.jsp and access it either > >>through the interface or directly from the url. but I dont want them to > >>access > >>finish.jsp directly because it doesnt make any sense as it is is only > >>shown after processing start.jsp. > >> > >> From what your saying I would have to either do > >>/WEB-INF/feedback/start.jsp > >>/WEB-INF/feedback/finish.jsp > >>which would mean they couldnt bookmark anything > >> > >>or do > >>/jsp/feedback/start.jsp > >>/WEB-INF/feedback/finish.jsp > >> > >>which screws up my links and stuff, meaning quite alot of rework and > >>stuff over the whole site. > >> > >>On a similar note, some of my jsps calls a servlet. In my web.xml it is > >>defined and url mapped as follows > >> <servlet> > >> <servlet-name>Controller</servlet-name> > >> <servlet-class>com.myapp.Controller</servlet-class> > >> <load-on-startup>0</load-on-startup> > >> </servlet> > >> <servlet-mapping> > >> <servlet-name>Controller</servlet-name> > >> <url-pattern>/controller</url-pattern> > >> </servlet-mapping> > >> > >>My jsp would then call > >><form name="feedbackform2" method="post" > >>action="<%=request.getContextPath()%>/controller"> > >>to call the servlet > >> > >>the trouble is the user can type directly into the url > >>localhost:8080/myapp/controller > >> > >>and call the servlet ot of context how do I stop that ? > >> > >> > >> > >> > >> > >>Tim Funk wrote: > >> > >> > >> > >>>You can't prevent images from being taken. > >>> > >>>As for JSP's. Move them to your WEB-INF directory. Then use a servlet > >>>to validate the incoming parameters and then forward to the JSP. > >>> > >>>-Tim > >>> > >>> > >>>Paul Taylor wrote: > >>> > >>> > >>> > >>>>Thanks works a treat > >>>> > >>>>Is there a similar way to prevent the user typing in the url of a > >>>>partciuar jsp or image and stop them being taken it. Ive looked at > >>>>security-constraints but this seems to be based on only > >>>>certain/logged in users gaining access. I have no concept of logged > >>>>users in my application but I only want them to access pages via the > >>>>interface rather than the url except for a few pages which they can > >>>>access via url to allow them to bookmark them. > >>>> > >>>>Shapira, Yoav wrote: > >>>> > >>>> > >>>> > >>>>>Hi, > >>>>>Add a listings parameter to the DefaultServlet in conf/web.xml with a > >>>>>param-value of false. IIRC. > >>>>> > >>>>>Yoav Shapira http://www.yoavshapira.com > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>--------------------------------------------------------------------- > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>> > >>> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > > > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]