CODEWITHSUNDEEP
struts2
sithu
sithu

Reputation: 1

Restrict direct url access in struts2

I am developing business application by using struts2. I'd like to restrict direct url accessing. If the user is accessed an action by browser url direct access, not click the link, I'd like to show the error page.(You can't use url direct access.)

If someone have the solution, please share to me. Thank you.

Upvotes: 0

Views: 1948

Answers (3)

dileepVikram
dileepVikram

Reputation: 932

May be you can check the session for particular values, so that to confirm that the request is an authorized one, you can even check for some values in the request , you can use hidden fields in JSP for this purpose.The value checking can be done in the method prepare() ,in the action, which will be executed every time when action is called, so before rendering the jsp ,you can easily redirect to any page by writing logic in the prepare method.To use the prepare method you want to implement the Preparable interface

Upvotes: 0

coding_idiot
coding_idiot

Reputation: 13734

The requirement is strange & I don't understand the reason behind.

But let me explain on how such a functionality can be attained :

  1. When a direct url-request is being made, then the Referer header is not present in the request.

  2. You can simply write an interceptor that checks whether the incoming request has the Referer header & it comes from your domain. If no, then you can send error if yes then continue.

Although it's easily possible to by-pass this, but majority of your users won't be doing this.

Sample Interceptor Code :

public String intercept(ActionInvocation ai) throws Exception {
        HttpServletRequest request =
                (HttpServletRequest) ai.getInvocationContext().get(StrutsStatics.HTTP_REQUEST);
        if (request != null) {
            if (request.getHeader("Referer") == null) {
                return "error";
            }
            return ai.invoke();
        }
}

Upvotes: 1

Alireza Fattahi
Alireza Fattahi

Reputation: 45583

User can makes a request, which is a url.

This url can be called

  1. By clinking a link
  2. Submitting a form
  3. Manually type URL in address bar
  4. Make a request by using some libraries like commons-http
  5. .....

They are many ways. You can not make sure which one should be used. You server (Struts Action) receives these request and process them.

Even if you could identify the request cam from a link or button, you can not trust it. A hacker can easily mimic the request object came from different sources.

I believe you are not in the correct path. Or please explain more.

Upvotes: 0

Related Questions