0

I'm trying to figure out how cookies can be used to prevent a hacker from typing in a URL to an internal part of a java web application that shouldn't be accessible unless the user is logged in.

For example, I'd like to prevent a hacker from typing in http://domain.com/myapp/listtable.jsp and be able to view the table without logging in.

I have a servlet which stores a list of all cookies it has handed out to clients. I'm struggling to understand what the JSP/JSTL code would look like to examine the cookies in the request and compare it to what the server has stored.

Something like:

    <c:forEach items="${cookie}" var="currentCookie">  

        <!-- Compare each incoming cookie with the cookies kept in the servlet,
             if there's not a match then redirect to the login page. Otherwise,
             show the contents of the page below --> 

    </c:forEach>  

<html>

    --- main page HTML here

Can anyone give me some advice on how to do this?

dvanaria
  • 6,593
  • 22
  • 62
  • 82
  • This is the job of a servlet, not a JSP – skaffman May 31 '11 at 06:56
  • Yes but if the URL of the jsp is typed in directly in the client browser, the servlet doesn't run before the JSP does, correct? – dvanaria May 31 '11 at 07:01
  • JSPs should not be directly visible to the browser, they should be hidden inside `WEB-INF`, and accessed via servlets. That's basic good design for java webapps. – skaffman May 31 '11 at 07:05
  • Check http://stackoverflow.com/tags/servlet-filters/info to learn about servlet filters. It even contains a hello world filter which does exactly what you're asking. – BalusC May 31 '11 at 12:53

3 Answers3

2

This should be the Job of Filter not of view

  • Configure a Filter to check for your protected resources
  • Check if user's session has some value that logically makes him logged in.
  • if not redirect user to login view

See Also

Community
  • 1
  • 1
jmj
  • 237,923
  • 42
  • 401
  • 438
1

I would personally add my JSP or any presentation content (that you deem protected) under the WEB-INF folder and map it accordingly to your controller. That way, the servlet container will hide it from external viewing.

Buhake Sindi
  • 87,898
  • 29
  • 167
  • 228
0

Even it's not the correct way to do it... in fact you can do something like that.

Try this:

    <c:forEach items="${cookie}" var="currentCookie">  

            <!-- Compare each incoming cookie with the cookies kept in the servlet,
                 if there's not a match then redirect to the login page. Otherwise,
                 show the contents of the page below --> 


            ${currentCookie.value.name} - ${currentCookie.value.value}<br/>

            <c:if test="${currentCookie.value.name=='JSESSIONID'}">
                Your Session is ${currentCookie.value.value}
            </c:if> 


    </c:forEach>
pedrofalcaocosta
  • 811
  • 7
  • 9