How to prevent client from accessing JSP page

Posted by Ali Bassam on Stack Overflow See other posts from Stack Overflow or by Ali Bassam
Published on 2012-09-02T08:52:12Z Indexed on 2012/09/02 9:38 UTC
Read the original article Hit count: 283

Filed under:
|
|

In my web application, I use the .load() function in JQuery, to load some JSP pages inside a DIV.

$("#myDiv").load("chat.jsp");

In chat.jsp, no Java codes is executed unless this client has Logged in, means, I check the session.

String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
  //execute codes
}else{
  //redirect to log in page
}

Those java codes that will be executed, they will out.println(); some HTML elements.

I don't want the client to write /chat.jsp in the browser to access this page, as it will look bad, and the other stuff in the main page won't be there, and this could do a harm to the web app security.

How can I restrict someone from accessing chat.jsp directly, but yet keep it accessible via .load() ?

UPDATE:

JavaDB is a class that I made, it connects me to the Database.

This is chat.jsp

<body>

    <%

        String userId = session.getAttribute("SessionId").toString();
        if (userId != null) {
            String roomId = request.getParameter("roomId");
            String lastMessageId = request.getParameter("lastMessageId");
            JavaDB myJavaDB = new JavaDB();
            myJavaDB.Connect("Chat", "chat", "chat");
            Connection conn = myJavaDB.getMyConnection();
            Statement stmt = conn.createStatement();
            String lastId = "";
            int fi = 0;
            ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId + " and room_id=" + roomId + " order by m.message_id asc");
            while (rset.next()) {
                fi = 1;
                lastId = rset.getString(2);
    %>
    <div class="message">
        <div class="messageSender">
            <%=rset.getString(3) + " " + rset.getString(4)%>
        </div>
        <div class="messageContents">
            <%=rset.getString(1)%>
        </div>
    </div>
    <%            }
    %>
    <div class="lastId">
        <% if (fi == 1) {%>
        <%=lastId%>
        <% } else {%>
        <%=lastMessageId%>
        <% }%></div>

    <% if (fi == 1) {%>
    <div class="messages">
    </div> 
    <% }
        } else {
            response.sendRedirect("index.jsp");
        }%>
</body>

Guys I don't know what Filter means.

UPDATE

If I decided to send a parameter that tells me that this request came from Jquery.

.load("chat.jsp",{ jquery : "yes" });

And then check it in chat.jsp

String yesOrNo = request.getParameter("jquery");

Then they can simply hack this by using this URL.

/chat.jsp?jquer=yes or something like that..

UPDATE

I tried Maksim's advice, I got this when I tried to access chat.jsp.

enter image description here

Is this the desired effect?

© Stack Overflow or respective owner

Related posts about java

Related posts about jQuery