Hi I have tried the referer(and referrer) attribute, but it didn't work
I have also tried getting all the header names. The header list does not contain referer header. The following log shows the list of headers obtained: a) When JSP is accessed directly accept = */* accept-encoding = gzip, deflate accept-language = en-us connection = Keep-Alive host = brahul user-agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) b) When JSP is accessed via controller accept = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/pdf, */* accept-encoding = gzip, deflate accept-language = en-us connection = Keep-Alive cookie = JSESSIONID=0000JP5BKM0A5RE2XUKMI2AQV4Q:-1 host = brahul user-agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Regards Rahul ----- Original Message ----- From: "Vikramjit Singh" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 09, 2002 11:33 AM Subject: Re: Restricting direct access of jsp's > > -----Original Message----- > > From: Rahul [mailto:[EMAIL PROTECTED]] > > Sent: Sunday, September 08, 2002 11:06 PM > > To: [EMAIL PROTECTED] > > Subject: Restricting direct access of jsp's > > Importance: High > > > > > > Hi, > > > > We are using MVC architecture in our project with j2ee 1.2. > > We have a Front Controller which is the only access points > > for various modules. > > This front controller performs all the authentication and > > authorization checks. > > If the user is authorized it gives access to the requested > > resource (lets say a jsp). > > > > Since there are no authentication/authorization checks in the > > jsp, anybody who somehow comes to know of the url of a jsp > > can access the jsp. > > > > Is there anyway (preferably declarative) to make the jsp's > > inaccessible when accessed directly. > > They should ofcourse still work when request is forwarded > > from the controller servlet. > > Check the referrer, from which the jsp is being called. > request.getHeader("REFERRER") > if it equals the jsp page which should call, then show the page, or if the > jsp page is called by just adding the page url in the address bar, then show > a message. > > > > > > Thanks & Regards > > Rahul > > Vikram. > > > > ============================================================== > > ============To unsubscribe: mailto [EMAIL PROTECTED] with > > body: "signoff JSP-INTEREST". > > For digest: mailto [EMAIL PROTECTED] with body: "set > > JSP-INTEREST DIGEST". > > Some relevant FAQs on JSP/Servlets can be found at: > > > > http://archives.java.sun.com/jsp-interest.html > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > http://www.jguru.com/faq/index.jsp > > http://www.jspinsider.com > > > > =========================================================================== > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
