response.sendRedirect() problem

Thomas Fri, 23 Mar 2001 12:17:44 -0800
At the top of my page is an access control code block that checks to see if
a user is allowed access to the page.  If the user doesn't have access, then
they are redirected to an error page.  Below the control code is a procedure
to deal with a submitted form that updates a database.  The problem is if
the user is not allowed, the form submission is still allowed and then the
user is redirected to the error page, which would allow an unwanted visitor
to update the database even though the control code successfully rejects
them.  The only way I'm able to force the server to redirect before parsing
the whole page is to place a "return;" immediately after the redirect at the
end of the if() block.  Is there a problem with this method, such as the
servlet container seeing a return where it shouldn't?
Here's my code (Macromedia Ultradev 4 generated):

<%
// *** Restrict Access To Page: Grant or deny access to this page
String MM_authorizedUsers="seller";
String MM_authFailedURL="login.jsp";
boolean MM_grantAccess=false;
if (session.getValue("MM_Username") != null &&
!session.getValue("MM_Username").equals("")) {
  if (false || (session.getValue("MM_UserAuthorization")=="") ||

(MM_authorizedUsers.indexOf((String)session.getValue("MM_UserAuthorization")
) >=0)) {
    MM_grantAccess = true;
  }
}
if (!MM_grantAccess) {
  String MM_qsChar = "?";
  if (MM_authFailedURL.indexOf("?") >= 0) MM_qsChar = "&";
  String MM_referrer = request.getRequestURI();
  if (request.getQueryString() != null) MM_referrer = MM_referrer + "?" +
request.getQueryString();
  MM_authFailedURL = MM_authFailedURL + MM_qsChar + "accessdenied=" +
java.net.URLEncoder.encode(MM_referrer);
  response.sendRedirect(response.encodeRedirectURL(MM_authFailedURL));
return;  //this is added
}
%>



Thomas Spellman

===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:

 http://java.sun.com/products/jsp/faq.html
 http://www.esperanto.org.nz/jsp/jspfaq.html
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
response.sendRedirect() problem

Reply via email to
