Richard, This is a guess on my part, but perhaps you want a Custom Security Constraint.
This page shows an example of setting up constraints: http://my-messages.setar.aw/ref/security.xtp So here is a tact you might try .. I didn't try to compile this so it's probably loaded with errors: package foo; public class SanitizedConstraint extends AbstractConstraint { private ArrayList<String> _validURIList = new ArrayList<String>(); public void setValidURI(String validURIList) { String[] uriArray = validURIList.split(","); for(int index=0; index < uriArray.length; index++) { _validURIList.add(uriArray[index]); } } public boolean isAuthorized(HttpServletRequest request, HttpServletResponse response, ServletContext application) throws ServletException, IOException { for(String uri:_validURIList) { if ( uri.equals(request.getRequestURI()) ) { return true; } } response.sendError(response.SC_FORBIDDEN); return false; } } then the resin.xml's security-constraint might look like: <security-constraint> <constraint> <class-name>foo.SanitizedConstraint</class-name> <!-- add any URIs you want to check here --> <init-param valudURI='/secure/index.jsp,/admin/page.html'/> </constraint> <web-resource-collection url-pattern='/*'/> </security-constraint> - Aaron > -----Original Message----- > From: [email protected] [mailto:resin-interest- > [email protected]] On Behalf Of Richard Grantham > Sent: Monday, February 16, 2009 7:50 AM > To: General Discussion for the Resin application server > Subject: [Resin-interest] j_uri sanitising > > Hi list, > > Is it possible to inspect/manipulte the value of j_uri after it has > been > posted to j_security_check and before it's acted upon on a successful > authentication? It has been suggested to us that parameter-based > redirection is something of a security risk, so if we can ensure that > the value of j_uri when posted conforms to certain guidelines it would > keep people happy. > > rgds, > > Richard > > > > Richard Grantham > Development > > ------------------------------- > [email protected] > Limehouse Software Ltd > > DDI: (020) 7566 3336 > Main: (020) 7566 3320 > Fax: (020) 7566 3321 > > Limehouse Software Ltd > Bridewell Gate > 9 Bridewell Place > London > EC4V 6AW > > > Check out Limehouse Software's innovative solutions > www.limehousesoftware.co.uk - Transforming the way you publish and > consult on information > > The information contained in this e-mail or in any attachments is > confidential and is intended solely for the named addressee only. > Access to this e-mail by anyone else is unauthorised. If you are not > the intended recipient, please notify Limehouse Software Ltd > immediately by returning this e-mail to sender or calling 020 7566 3320 > and do not read, use or disseminate the information. Opinions expressed > in this e-mail are those of the sender and not necessarily the company. > Although an active anti-virus policy is operated, the company accepts > no liability for any damage caused by any virus transmitted by this e- > mail, including any attachments. > > > _______________________________________________ > resin-interest mailing list > [email protected] > http://maillist.caucho.com/mailman/listinfo/resin-interest _______________________________________________ resin-interest mailing list [email protected] http://maillist.caucho.com/mailman/listinfo/resin-interest
