On Fri, 22 Aug 2003, Andrew Hill wrote: > Date: Fri, 22 Aug 2003 19:31:18 +0800 > From: Andrew Hill <[EMAIL PROTECTED]> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] > To: Struts Users Mailing List <[EMAIL PROTECTED]> > Subject: RE: Disallow user to modify URL in browser address bar > > wait wait I know! > > <idea type="silly" today="friday" drink="beer"> > Have only ONE url for the whole application. > Give every page a hidden field named "theRealUrl" and all links etc.... > actually fire javascript that sets this hidden field and POST to that one > acceptable url, then you have a filter (or override ActionServlet) that uses > the value in "theRealUrl" to redirect the request appropriately. Any request > that doesnt have a value for "theRealUrl" gets shunted off to the access > denied page... > </idea> > > hehe, or to quote James: "Good Luck!!!" >
You can actually get a long ways towards the goal by faking it -- either create a frameset with only one frame in it (so that the location bar does not change), or open a window without a location bar at all. You're not going to fool the experts, but you'll certainly reduce the amount of casual mischief. Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

