ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

JSP Security for Limiting Access to Application-Internal URLs
Pages: 1, 2, 3

Back to the Application Code

The main part of the page's processing begins by checking for the smID parameter, and retrieving the application instance's state and stack. A new application instance is created if the smID parameter is not supplied.

The application notifies the output and input action pages of its name and smID by setting the smName and smID request attributes.

The state's input action is executed via a <jsp:include> action. The resulting smCondition attribute is retrieved from the request object. A state transition is then performed, based on the value of the smCondition value.

The current values of state and stack are saved in the user's session, and the output action associated with the new state is displayed.

The Exam Application Files

From the outputActions array, you can see that the application makes use of the following pages to display output to the user:

  • welcome.jsp
  • question.jsp
  • response.jsp
  • finished.jsp
  • help.jsp

These and all other source JSP pages of the application can be downloaded here.

What prevents the user from directly requesting the URLs of these pages? At the top of every internal page of the application I insert the following <jsp:include> action:

<jsp:include page="verifyinclude.jsp" flush="true" />

The source of verifyinclude.jsp is as follows:

String smName = (String) request.getAttribute("smName");
if(smName == null)
  throw new Exception("Page not called from within application.");

When a user requests an internal application page, an exception is thrown and the user receives a nasty error. You may want to handle this error with a JSP error-handling page.

As previously mentioned, each output action is responsible for propagating the smID request parameter in the application URLs. This is fairly straightforward. First you retrieve the value of smID from the current request and then add it to any application links that are displayed. In welcome.jsp, the href attribute of the Start link is calculated as follows:

String start = request.getRequestURI() + "?smID=" +
 request.getParameter("smID") + "&start=true";

In question.jsp, the smID parameter is stored in a hidden form field:

<form name="question" action="<%= request.getRequestURI()%>" method="get">
<% for(int i=1; i<questions[currentQuestion].length; ++i) { %>
<p class="answer"><%= i %>. <input type="checkbox" name='a<%= i %>'>
<%= questions[currentQuestion][i] %></p>
<% } %>
<input type='hidden' name='smID' value='<%= request.getAttribute("smID")%>'>
<p class="answer"><input type="submit" name="submit" value="Submit"></p>

You can use whatever technique you like, as long as smID shows up as a parameter of the request object.

Working with Input Actions

Input actions are simple JSPs that process request parameters and set the smCondition attribute of the request object. From the inputActions array, you can see that the application has the following input actions:

  • checkstart.jsp
  • checkanswer.jsp
  • checkfinished.jsp
  • checkreturn.jsp

The checkstart.jsp page is fairly typical of what you'll put in your input actions:

if(request.getParameter("help") != null)
 request.setAttribute("smCondition", "help");
else if(request.getParameter("start") != null)
 request.setAttribute("smCondition", "start");

It checks the values of the request parameters and then reflects them in the smCondition attribute. Of course, more complicated checks may also be made.

More General Application Frameworks

The JSP application framework that I presented in this column is designed to be simple, secure, and verifiable. (For some customers, I actually verify the design of some security-sensitive Web applications.) However, there are other more general, powerful, and comprehensive application frameworks that you can use. The Struts framework of the Apache-Jakarta project is an example of the latter. Struts goes beyond a simple state machine to provide extensive support for the Model-View-Controller paradigm.

Jamie Jaworski is a Java security expert and author, focused on cryptography and such.

Read more Java Security columns.

Return to ONJava.com.