Aehm... Be careful with this advice, First: you will get no referer in any kind of popups. Second: most proxies, anonymizer and anti-spy software removes referer attribute from the header.
Maybe I'm a little late, but i had similar requirement some time ago - protect pages from being refered by "bad guys" directly, without customers index page inbetween. I solved by adding an encrypted paramter to the link, which among others, contained a lifetime of the link and was generated at the index page on the fly. The action checked the if the lifetime of the link was expired (which would happen if someone copy&pasted the link) and refused further exucution. There are many libs available for encryption / decryption of parameters, the one i used was the blowfishj.jar, available under: http://blowfishj.sourceforge.net/ (http://sourceforge.net/project/showfiles.php?group_id=124761&package_id=136 373&release_id=288393) Regards Leon > -----Ursprüngliche Nachricht----- > Von: Catalin Croitoru [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 19. Mai 2005 23:50 > An: Struts Users Mailing List > Betreff: Re: Fw: [HELP] How to restrict access to certain > mapping action ??? > > hi, > > you can do like this: > > String myReferer = request.getHeader("Referer"); > > if myReferer is nul this means the request was by tiping the > addres in the addres bar. if it's not null mean the user > click on a link on last page in the browser and myReferer is > the url of this page. for a full description of this look for > http description at header field definition. i don't have a > link on web for this but i think you can find easy with google. > > i hope this solve your problem. > > Catalin > > > > On 5/19/05, Pham Anh Tuan <[EMAIL PROTECTED]> wrote: > > Thank Aladin, > > > > I'm Alibaba :D, > > > > So, the first thing I want to say here I don't know exactly > how to use > > <security-constraint>, maybe syntax. > > > > the second is I mean that, I don't want User do my action > by typing my > > action path directly on address bar, such as > > http://www.myweb/user/useraction.do, but I allow User do my > action by > > clicking on certain link on webpage, such as <html:link > > page="/user/useraction.do">do</html:link> > > > > any solution :( > > > > Anh Tuan > > ----- Original Message ----- > > From: "Aladin Alaily" <[EMAIL PROTECTED]> > > To: "Struts Users Mailing List" <user@struts.apache.org> > > Sent: Thursday, May 19, 2005 9:49 AM > > Subject: Re: Fw: [HELP] How to restrict access to certain > mapping action ??? > > > > > > > Hi Pham, > > > > > > I think this was mentioned earlier. There are two things > you can do: > > > > > > 1) Use a filter with a url-map to your action > > > > > > 2) Use security constraints > > > > > > Aladin > > > > > > > > > > > > Pham Anh Tuan wrote: > > >> > > >> Hi all, > > >> > > >> This is the second time I post this message for help :(. > > >> > > >> I don't know how to restrict access to certain mapping action? > > >> > > >> Ex: > > >> I have action: /user/myaction.do > > >> and I don't want user directly access to above action. > > >> > > >> Could I use web.xml to solve this problem. > > >> > > >> something like: > > >> > > >> <security-constraint> > > >> > > >> <web-resource-collection> > > >> > > >> <web-resource-name> > > >> > > >> Restrict access to JSP pages > > >> > > >> </web-resource-name> > > >> > > >> <url-pattern>*.jsp</url-pattern> > > >> > > >> </web-resource-collection> > > >> > > >> <auth-constraint> > > >> > > >> <description> > > >> > > >> With no roles defined, no access granted > > >> > > >> </description> > > >> > > >> </auth-constraint> > > >> > > >> </security-constraint> > > >> > > >> Thanks for ur reading. > > >> > > >> Anh Tuan > > >> > > >> > > >> > > >> > ------------------------------------------------------------------- > > >> -- To unsubscribe, e-mail: [EMAIL PROTECTED] > > >> For additional commands, e-mail: [EMAIL PROTECTED] > > >> > > >> > > >> > > >> > > > > > > > > > > -------------------------------------------------------------------- > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
