Solved

Detecting access to .jsp outside of frame

Posted on 2002-04-08
12
279 Views
Last Modified: 2007-12-19
My web site uses frames with individual frames for a tool bar and another one for the main content.   Is there a way on the server side to detect when someone is trying to access the main content frame without the parent frameset being displayed?   If someone clicks on a link (from a search engine) to the main content page, I want to make sure that the toolbar frame is also displayed.
0
Comment
Question by:JohnWeidner
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 33

Expert Comment

by:knightEknight
ID: 6925773
I would handle this on the client.  In your main content page, do this:

<SCRIPT language='javascript'>
 if (parent.frames.length==0)
   top.location="frameset.jsp?mainpage=" + location.href;
</script>

0
 
LVL 33

Accepted Solution

by:
knightEknight earned 100 total points
ID: 6925777
then when you set the frameset up ...

<%
  String mainpage = request.getParameter("mainpage");
  if ( mainpage==null )
     mainpage = "default.jsp";
%>

...

  <FRAME name="main" src="<%=mainpage%>" >
0
 

Author Comment

by:JohnWeidner
ID: 6926479
That's what I was thinking I'd have to do.   I was just wanting to catch it on the server side before the first page got to the browser if that were possible.
0
 

Author Comment

by:JohnWeidner
ID: 6926614
I just noticed the "referer" entry in the header.   Would there be any problem with something like this?

<%
    if ( request.getHeader( "referer" ) == null )
    {
        // request has come from outside of the frame
        targetPage = HttpUtils.getRequestURL( request );
        session.setAttribute( "mainPage", targetPage );
%>
      <jsp:forward page="frameset.jsp" />
<%
    }
%>

and then in frameset.jsp have


<%
 String mainpage = session.getAttribute("mainPage");
 if ( mainpage==null ) {
    mainpage = "default.jsp";
  }
%>

...

 <FRAME name="main" src="<%=mainpage%>" > 
0
 
LVL 27

Expert Comment

by:rrz
ID: 6926966
From your use of a deprecated ( HttpUtils.getRequestURL )  
I assume you are using pre-Servlet2.3  
But if you could use Servlet2.3  have you considered  
using  Filters.  
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6927037
rrz: filters execute on the server side.  You can get the requested URI/URL but not the actual URL in the browser location box.  So Java won't know that it is in a frame.

JavaScript must be use to check for being framed and to enforce the navigation frame.

CJ

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 27

Expert Comment

by:rrz
ID: 6927114
to cheekyci,
JohnWeidner wrote  
>If someone clicks on a link (from a search engine) to
the main content page, I want to make sure that the toolbar frame is also displayed.
   
So what I am suggesting is to  use a Filter to redirect any request for the main content page to the frameset page.
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6927880
rrz: the problem is that the filter cannot know the exact origin of the request.  It knows what page is requested.

For example, if I have frame.htm (with two frames split horizontally) which has my own html nav on top and a servlet for the bottom part.  The filter can detect that bottomFrame Servlet has been called.. but the filter actually has NO clue that frame.htm is calling it as a part of the frame.

You can filter requests to bottomFrame Servlet but how do you differentiate when frame.htm is on your site versus another site?  the Servlet's URI will always be the same.

Hence, a JavaScript solution is needed.

CJ
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6927883
A filter cannot detect whether the page was called directly or from a frame.
0
 
LVL 27

Expert Comment

by:rrz
ID: 6928570
I will describe my idea in more detail. I really don't know if it can be done. I have not tried to write the code yet.    
The web site pages that JohnWeidner wants to access contain
a frameset. Make those pages JSP, for example FrameSetX.jsp.   FramSetX.jsp could  have the code request.setAttribute("token","token"); . The main content page, MainContent.jsp is designated as the URL to which the Filter applies. The Filter has the logic to decide if the token is present in the request. If token is null then the Filter redirects to FrameSetX.jsp .  
Is this feasable ?
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 6928593
I am not sure here.

The filter is not applied to FrameSetX.jsp since you want that accessible.. and it will attach a token and forward to the MainContent.jsp.. I don't know if filter's are applied to servlet/jsp forwards.. I thought they went by requested URL.

CJ
0
 
LVL 27

Expert Comment

by:rrz
ID: 6929827
I wrote the code. My idea does work but seems like a lot of work if JavaScript can do the job. It doesn't work by setting a request object. I got it to work two ways, the first way by using a session object, the second way by using a query string.  Either way the web.xml file should be edited to include the following.  
            <filter>
                    <filter-name>Entry</filter-name>
                    <filter-class>myPackage.EntryFilter</filter-class>
           </filter>
           <filter-mapping>
                     <filter-name>Entry</filter-name>
                     <url-pattern>/jspPackage/MainContent.jsp</url-pattern>
           </filter-mapping>  

--------EntryFilter.java---------------------------------
 package myPackage;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class EntryFilter implements Filter{
public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain)
                   throws ServletException, IOException {
         HttpServletResponse resp = (HttpServletResponse)response;
         HttpServletRequest req =  (HttpServletRequest)request;
         if(req.getSession().getAttribute("token")==null)resp.sendRedirect("/MyContext/jspPackage/FrameSetX.jsp ");  
//second way// if(request.getParameter("token")==null)resp.sendRedirect("/MyContext/jspPackage/FrameSetX.jsp");
         chain.doFilter(request,response);
}
public void init(FilterConfig config) throws ServletException{}
public void destroy(){}
}
------------------------------------------------------
In  FrameSetX.jsp  include the following(second way commented out);

<frameset rows="xx,*">
<%
  session.setAttribute("token","token");
%>
<frame name="top" src="Toolbar.jsp"/>
<frame name="bottom" src="MainContent.jsp"/>
<%-- <frame name="bottom" src="MainContent.jsp?token=token"/> --%>
</frameset>
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
servlet cookie finding by name 1 70
Spring MVC - sending raw charset to backend 3 188
struts spring hibernate example 12 105
I get error: useBean: Duplicate bean name: {0} 1 115
Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Microsoft Office Picture Manager was included in Office 2003, 2007, and 2010, but not in Office 2013. Users had hopes that it would be in Office 2016/Office 365, but it is not. Fortunately, the same zero-cost technique that works to install it with …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now