Pramod,
In your jsp, check where the request is comming from.
if(!request.getHeader("refer").endWith("xx??xx")) {
} else {
}
Regards,
-P
-----Original Message-----
From: Pramod Nair
Sent: Sun 9/8/2002 8:05 PM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: Restricting direct access of jsp's
I am sure there are better solutions than this, but , one possible way
would be to set a request attribute through request.setAttribute() in
your controller servlet, before forwarding the request to the view JSP.
The JSP could then check the presence of this request attribute to
determine whether the request came in from a Controller or through a
Direct client access (Clients cant request.setAttribute(), since its a
HTTP independent Server side technique)
I'd love to learn some way of doing this declaratively too ...
regards
Pramod Nair
----- Original Message -----
From: Rahul
To: [EMAIL PROTECTED]
Sent: Monday, September 09, 2002 6:05 AM
Subject: Restricting direct access of jsp's
Hi,
We are using MVC architecture in our project with j2ee 1.2.
We have a Front Controller which is the only access points for various
modules.
This front controller performs all the authentication and
authorization checks.
If the user is authorized it gives access to the requested resource
(lets say a jsp).
Since there are no authentication/authorization checks in the jsp,
anybody who somehow comes to know of the url of a jsp can access the
jsp.
Is there anyway (preferably declarative) to make the jsp's
inaccessible when accessed directly.
They should ofcourse still work when request is forwarded from the
controller servlet.
Thanks & Regards
Rahul
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
