Solved

Detecting access to .jsp outside of frame

Posted on 2002-04-08
12
277 Views
Last Modified: 2007-12-19
My web site uses frames with individual frames for a tool bar and another one for the main content.   Is there a way on the server side to detect when someone is trying to access the main content frame without the parent frameset being displayed?   If someone clicks on a link (from a search engine) to the main content page, I want to make sure that the toolbar frame is also displayed.
0
Comment
Question by:JohnWeidner
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 33

Expert Comment

by:knightEknight
ID: 6925773
I would handle this on the client.  In your main content page, do this:

<SCRIPT language='javascript'>
 if (parent.frames.length==0)
   top.location="frameset.jsp?mainpage=" + location.href;
</script>

0
 
LVL 33

Accepted Solution

by:
knightEknight earned 100 total points
ID: 6925777
then when you set the frameset up ...

<%
  String mainpage = request.getParameter("mainpage");
  if ( mainpage==null )
     mainpage = "default.jsp";
%>

...

  <FRAME name="main" src="<%=mainpage%>" >
0
 

Author Comment

by:JohnWeidner
ID: 6926479
That's what I was thinking I'd have to do.   I was just wanting to catch it on the server side before the first page got to the browser if that were possible.
0
 

Author Comment

by:JohnWeidner
ID: 6926614
I just noticed the "referer" entry in the header.   Would there be any problem with something like this?

<%
    if ( request.getHeader( "referer" ) == null )
    {
        // request has come from outside of the frame
        targetPage = HttpUtils.getRequestURL( request );
        session.setAttribute( "mainPage", targetPage );
%>
      <jsp:forward page="frameset.jsp" />
<%
    }
%>

and then in frameset.jsp have


<%
 String mainpage = session.getAttribute("mainPage");
 if ( mainpage==null ) {
    mainpage = "default.jsp";
  }
%>

...

 <FRAME name="main" src="<%=mainpage%>" >
0
 
LVL 27

Expert Comment

by:rrz
ID: 6926966
From your use of a deprecated ( HttpUtils.getRequestURL )  
I assume you are using pre-Servlet2.3  
But if you could use Servlet2.3  have you considered  
using  Filters.  
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6927037
rrz: filters execute on the server side.  You can get the requested URI/URL but not the actual URL in the browser location box.  So Java won't know that it is in a frame.

JavaScript must be use to check for being framed and to enforce the navigation frame.

CJ

0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 27

Expert Comment

by:rrz
ID: 6927114
to cheekyci,
JohnWeidner wrote  
>If someone clicks on a link (from a search engine) to
the main content page, I want to make sure that the toolbar frame is also displayed.
   
So what I am suggesting is to  use a Filter to redirect any request for the main content page to the frameset page.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6927880
rrz: the problem is that the filter cannot know the exact origin of the request.  It knows what page is requested.

For example, if I have frame.htm (with two frames split horizontally) which has my own html nav on top and a servlet for the bottom part.  The filter can detect that bottomFrame Servlet has been called.. but the filter actually has NO clue that frame.htm is calling it as a part of the frame.

You can filter requests to bottomFrame Servlet but how do you differentiate when frame.htm is on your site versus another site?  the Servlet's URI will always be the same.

Hence, a JavaScript solution is needed.

CJ
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6927883
A filter cannot detect whether the page was called directly or from a frame.
0
 
LVL 27

Expert Comment

by:rrz
ID: 6928570
I will describe my idea in more detail. I really don't know if it can be done. I have not tried to write the code yet.    
The web site pages that JohnWeidner wants to access contain
a frameset. Make those pages JSP, for example FrameSetX.jsp.   FramSetX.jsp could  have the code request.setAttribute("token","token"); . The main content page, MainContent.jsp is designated as the URL to which the Filter applies. The Filter has the logic to decide if the token is present in the request. If token is null then the Filter redirects to FrameSetX.jsp .  
Is this feasable ?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6928593
I am not sure here.

The filter is not applied to FrameSetX.jsp since you want that accessible.. and it will attach a token and forward to the MainContent.jsp.. I don't know if filter's are applied to servlet/jsp forwards.. I thought they went by requested URL.

CJ
0
 
LVL 27

Expert Comment

by:rrz
ID: 6929827
I wrote the code. My idea does work but seems like a lot of work if JavaScript can do the job. It doesn't work by setting a request object. I got it to work two ways, the first way by using a session object, the second way by using a query string.  Either way the web.xml file should be edited to include the following.  
            <filter>
                    <filter-name>Entry</filter-name>
                    <filter-class>myPackage.EntryFilter</filter-class>
           </filter>
           <filter-mapping>
                     <filter-name>Entry</filter-name>
                     <url-pattern>/jspPackage/MainContent.jsp</url-pattern>
           </filter-mapping>  

--------EntryFilter.java---------------------------------
 package myPackage;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class EntryFilter implements Filter{
public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain)
                   throws ServletException, IOException {
         HttpServletResponse resp = (HttpServletResponse)response;
         HttpServletRequest req =  (HttpServletRequest)request;
         if(req.getSession().getAttribute("token")==null)resp.sendRedirect("/MyContext/jspPackage/FrameSetX.jsp ");  
//second way// if(request.getParameter("token")==null)resp.sendRedirect("/MyContext/jspPackage/FrameSetX.jsp");
         chain.doFilter(request,response);
}
public void init(FilterConfig config) throws ServletException{}
public void destroy(){}
}
------------------------------------------------------
In  FrameSetX.jsp  include the following(second way commented out);

<frameset rows="xx,*">
<%
  session.setAttribute("token","token");
%>
<frame name="top" src="Toolbar.jsp"/>
<frame name="bottom" src="MainContent.jsp"/>
<%-- <frame name="bottom" src="MainContent.jsp?token=token"/> --%>
</frameset>
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
JTable - RowFilter & Columns Header. 3 136
change size of out.write buffer 1 80
xjc and jaxb 2 89
if statement not resolving in my code 5 42
Owning a franchise can be the dream of a lifetime. It provides a chance for economic growth. You can be as successful as you want.  To make your franchise successful, you need to market it successfully. Here are six of the best marketing strategies …
Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now