• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1818
  • Last Modified:

Restrict pages direct URL access

'llo xprts,

I have a site that uses forms and validates fields and redirects to another pages etc, but I need to know how to keep any user from access a page directly with the URL and it gets redirectionated to the login form...

I've seen this, but I don't know how to call it. :S

I think it's with session variables, and that I should check for a session variable in the top of the page that I want to restrict.

I'm kind of lost in the translation here :S

Thanks in advance.

MMarts
0
mmartha
Asked:
mmartha
  • 5
  • 3
  • 2
  • +3
1 Solution
 
rk_radhakrishnaCommented:
0
 
sompol_kiatkamolchaiCommented:
Yes you can keep something like username in session object after making authentication. So the user that want to access page without login they will be redirect to login page.

Here is the code for example.
<%
String username = (String)session.getAttribute("username");
if ( username == null ) response.sendRedirect("/login.jsp");
%>

And in servlet that do authentication after success to do that you should put username to session object like this

HttpSession session = request.getSession();
session.setAttribute("username", username);
0
 
mmarthaAuthor Commented:
hello sompol,

you'll see, all I have are JSP pages. How can I put the servlet code into a JSP page?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
mmarthaAuthor Commented:
I did

<%
HttpSession session = request.getSession();
session.setAttribute("username", username);
%>

and I got

FPP_jsp.java:45: session is already defined in _jspService(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
HttpSession session = request.getSession();

ForgotPasswordPrincipal_jsp.java:46: cannot resolve symbol
symbol  : variable username
location: class org.apache.jsp.FPP_jsp
session.setAttribute("username", username);
                                 ^
so I did:

<%
HttpSession session2 = request.getSession();
session.setAttribute("username", username);
%>

and I only got the variable error, but not the session one.

What should I do? :S
0
 
mmarthaAuthor Commented:
I realized that I used session and session2, so I typed:

<%
HttpSession session2 = request.getSession();
session2.setAttribute("username", username);
%>

but got the same result :S
0
 
mmarthaAuthor Commented:
the filename is ForgotPasswordPrincipal.jsp, I was trying to making it shorter, but I  forgot to modify a line back there. Wherever it says FPP it's "ForgotPasswordPrincipal"
0
 
kiranhkCommented:
you need to put this in your web.xml and then in your login.jsp after the user is logged in you can add it to session....

<!-- ... -->
<security-constraint>
   <web-resource-collection>
     <web-resource-name>Sensitive</web-resource-name>
     <url-pattern>/sensitive/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
     <role-name>administrator</role-name>
     <role-name>executive</role-name>
   </auth-constraint>
 </security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.html</form-error-page>
</form-login-config>
</login-config>
<!-- ... -->
0
 
mmarthaAuthor Commented:
I don't have a login page. I just want to have the page redirected to the main page if someone try to access it directly. :S

I tried adding those to the config and then restarted the service, but I still got that error.

ForgotPasswordPrincipal_jsp.java:46: cannot resolve symbol
symbol  : variable username
location: class org.apache.jsp.FPP_jsp
session.setAttribute("username", username);
                                 ^

I have the page map like this:

[Page1]-->[Page2]-->[Page4]
      |
[Page3]-->[Page5]

Without any authentication. I want that if someone access directly to page4 or page5, to be redirected to page1. :S
0
 
kiranhkCommented:
if you dont have a login page then dont use the session.setAttribute.......
0
 
gnoonCommented:
mmartha, using session should work.

Put this code on top of first page:
<%
  //  Page1.jsp

  session.setAttribute( "location", new Integer(1) );
%>

and this code for other pages

<%
  //   Page2.jsp by assume.

  //   On this page, the location value should be 1, otherwise it's accessed directly.

  Integer location = (Integer) session.getAttribute("location");
 
  if( location == null || location.intValue() != 1 )
  {
      // It's accessed directly, go to Page1.
      response.sendRedirect("Page1.jsp");
  }
  else
  {
      // It's accessed from Page1, set location attribute to the current point.
      session.setAttribute( "location", new Integer(2) );
  }
%>

Regards,
G noon
0
 
CodingExpertsCommented:
Well you can check on all pages ...
<%
if(request.getRequestURL().equals("url of page1"))
{
%>
  // do the processing of the page
<%
}
else
{
  request.redirectTo("url of page1");
}
%>

Hope this helps

-CE
0
 
CodingExpertsCommented:
This would ensure that the request generated only from page1 should be processed rest in all other cases should be redirected to page1.

-CE
0
 
sompol_kiatkamolchaiCommented:
If all you have are jsp, so you can use session.setAttribute("username", username) without HttpSession session = request.getSession();
0
 
sompol_kiatkamolchaiCommented:
If your system don't have any authentication, you just put anonymous as username.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now