CODEWITHSUNDEEP
javajqueryjsp
Ali Bassam
Ali Bassam

Reputation: 9959

How to prevent client from accessing JSP page

In my web application, I use the .load() function in JQuery, to load some JSP pages inside a DIV.

$("#myDiv").load("chat.jsp");

In chat.jsp, no Java codes is executed unless this client has Logged in, means, I check the session.

String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
  //execute codes
}else{
  //redirect to log in page
}

Those java codes that will be executed, they will out.println(); some HTML elements.

I don't want the client to write /chat.jsp in the browser to access this page, as it will look bad, and the other stuff in the main page won't be there, and this could do a harm to the web app security.

How can I restrict someone from accessing chat.jsp directly, but yet keep it accessible via .load() ?

UPDATE:

JavaDB is a class that I made, it connects me to the Database.

This is chat.jsp

<body>

    <%

        String userId = session.getAttribute("SessionId").toString();
        if (userId != null) {
            String roomId = request.getParameter("roomId");
            String lastMessageId = request.getParameter("lastMessageId");
            JavaDB myJavaDB = new JavaDB();
            myJavaDB.Connect("Chat", "chat", "chat");
            Connection conn = myJavaDB.getMyConnection();
            Statement stmt = conn.createStatement();
            String lastId = "";
            int fi = 0;
            ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId + " and room_id=" + roomId + " order by m.message_id asc");
            while (rset.next()) {
                fi = 1;
                lastId = rset.getString(2);
    %>
    <div class="message">
        <div class="messageSender">
            <%=rset.getString(3) + " " + rset.getString(4)%>
        </div>
        <div class="messageContents">
            <%=rset.getString(1)%>
        </div>
    </div>
    <%            }
    %>
    <div class="lastId">
        <% if (fi == 1) {%>
        <%=lastId%>
        <% } else {%>
        <%=lastMessageId%>
        <% }%></div>

    <% if (fi == 1) {%>
    <div class="messages">
    </div> 
    <% }
        } else {
            response.sendRedirect("index.jsp");
        }%>
</body>

Guys I don't know what Filter means.

UPDATE

If I decided to send a parameter that tells me that this request came from Jquery.

.load("chat.jsp", { jquery : "yes" });

And then check it in chat.jsp

String yesOrNo = request.getParameter("jquery");

Then they can simply hack this by using this URL.

/chat.jsp?jquery=yes

or something like that..

UPDATE

I tried Maksim's advice, I got this when I tried to access chat.jsp.

enter image description here

Is this the desired effect?

Upvotes: 1

Views: 1483

Answers (4)

Maksim Vi.
Maksim Vi.

Reputation: 9225

In order to achieve this in my application I check for X-Requested-With field in http header the client sends to my page in its request. If its value is XMLHttpRequest, then it's very likely that it came from an ajax request (jQuery appends this header to its requests), otherwise I don't serve the page. Regular (direct) browser requests will leave this header field blank.

In ASP.Net it looks like this, you will have to change your code slightly for JSP:

if (Request.Headers["X-Requested-With"] != "XMLHttpRequest")
{
     Response.Write("AJAX Request only.");
     Response.End();
     return;
}

UPD: After quick googling your code will probably be something like this

if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
    out.println("AJAX Request only.");
    out.flush(); 
    out.close(); 
    return; 
}

UPD2: Looks like request.getHeader("X-Requested-With") returns null in your case change the condition to something like this:

String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
    ...
}

Upvotes: 2

MaVRoSCy
MaVRoSCy

Reputation: 17839

according to http://www.c-sharpcorner.com/blogs/2918/how-to-set-a-request-header-in-a-jquery-ajax-call.aspx

JQuery gives you the tools you need to create a request and retrieve a response through it's ajax library. The raw $.ajax call gives you all kinds of callbacks to manipulate http messages.

So you can add a custom request header in your Ajaxa call like this

$.ajax({
  type:"POST",
  beforeSend: function (request)
  {
     request.setRequestHeader("Authority", "AJAXREQUEST");
  },
...........

And then in your servlet check to see if the request has the header Authority equals to AJAXREQUEST. This is how you read request headers http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/Servlet-Tutorial-Request-Headers.html

Upvotes: 1

Subin Sebastian
Subin Sebastian

Reputation: 10997

you should use Filter. Check session in filter code and redirect to login.

Upvotes: 1

Amir Pashazadeh
Amir Pashazadeh

Reputation: 7302

Is your code snippet a servlet? If that's so, use a security framework (such as Spring Security) or a javax.servlet.Filter for applying security, then you can apply security to JSPs too.

Upvotes: 1

Related Questions