We have a JSP page and a Servlet page, where we pass the parameters via URL from JSP to Servlet. Below is the JSP link
Allergies
In our servlet, we do some process like below.
int id = Integer.parseInt(request.getParameter("idClient"));
//Do the work
RequestDispatcher d = request.getRequestDispatcher("view.jsp");
d.forward(request,response);
Unfortunately this makes the idClient 100% visible and it is also editable. We have noticed that the user can simply edit the idClient from the URL and access other client information too! Not only that, any one can access anyones info, whether the client is belong to them or not!
How can we stop this?
Get the logged-in user.
Check whether that user is supposed to be able to access this client's details.
If not, return an error page instead of the client details page.
I can't be more specific without knowing the details of your existing code and database structure.
Related
There are lot of relavent questions with many answets to this but i wanted to know what is the best and suggested method for this.
The question is simple.i wanted to redirect from one page to other when a condition is not met and after this condition became true in the redirected page,return to the same page from where the redirect is requested in a php or jsp page
More relavent example would be : when a user wants to buy a product from a website,when he chooses a product and want to make payment, the site checks whether the user has log in to the site. If not it takes to login page,and after logging in,take the user to the payment page directly rather than some homepage which usually the login page takes to.
There were options like storing sessions and storing the requested url in a session variable and then use this to return to the page.
But my question is to find what is the most suitable standard for this.
Detailed answers are appreciated. Thanks in advance.
You can do it like this way :
Theoritically Explanation Along With CODE :
First you need to get the current page dynamically so in PHP we have $_SERVER to do the job So we can use following code to get our current PHP Page name :
$redirect_page = basename($_SERVER['PHP_SELF']); /* Returns The Current PHP File Name */
Note : You will only get the current PHP File name not exactly the whole URL using the above code.
Then we need to use something in which we can store the value in order to be able to use it on the next redirected page so we have COOKIES & SESSIONS in PHP to do the job and here I am going to share both methods with you.As we already got our page name so second we need to store it.
BY USING COOKIES :
We can create a cookie like this way :
setcookie("redirect_page", $redirect_page, time()+20);
As you can see we created a cookie here and stored the redirect page name in it.
Now when you redirect to another like this way by using header :
header("Location: 2nd_page.php");
And on the 2nd Page you can redirect page to the first page from where you were being redirected like this way :
if ($value1 != $value2) {
$redirect_back = $_COOKIE['redirect_page'];
header("Location: $redirect_back");
}
BY USING SESSIONS :
We can create a session like this way :
$_SESSION['redirect_page'] = $redirect_page;
As you can see we created a cookie here and stored the redirect page name in it.
Now when you redirect to another like this way by using header :
header("Location: 2nd_page.php");
And on the 2nd Page you can redirect page to the first page from where you were being redirected like this way :
if ($value1 != $value2) {
$redirect_back = $_SESSION['redirect_page'];
header("Location: $redirect_back");
}
Note : Remember to run the session_start() statement on both these pages before you try to access the $_SESSION array, and also before any output is sent to the browser.
In annotation based spring controller. if a user was on url.com/first/page and clicked a link or submitted a form pointing to say url.com/second/page .
How to make the second/page know the url of /first/page so that the second/page can
1) redirect the user to the first/page again when the form values are processed.
2) or show a back button link to the /first/page?
Edit 1 --
request.getHeader('Referer') is another but those I think are browser based on the mercy of browser. If the browser dont do it, we cant know. I wanted a way which is application wide. some how passing the url from one page to another
Edit 1 end --
you can use two below methods:
request.getAttribute("javax.servlet.forward.request_uri")
or
request.getHeader("Referer");
In above methods you are trusting the browser behavior and also the container which make the request object available to you. I don't know why you don't want to use this method.
Or
you can get the current page/serlvet url save it in the session and use it in the second page.
String requestUrl=request.getRequestURL();
session.setAttribute("pervious_page",requestUrl);
Then in the second page:
session.getAttribute("pervious_page");
I have an idea to make something pretty sweet but I'm not sure if it's possible. Here is an example of a very basic ajax function that I might use to establish a connection a server...
function getFakePage(userId)
{
var ajaxObject, path, params;
ajaxObject = getAjaxObject();
params = "?userId=" + userId
path = getInternalPath() + "someServlet" + params;
ajaxObject.open("GET", path, true);
ajaxObject.send();
// On ready state change stuff here
}
So let's say I have a URL like this...
https://localhost:8443/Instride/user/1/admin
And I wanted to use javascript to redirect the user to this this URL. Normally I would just do this...
window.location = "https://localhost:8443/Instride/user/1/admin";
But my idea is to create a javascript (no js frameworks please) function that could combine the ajax code with the window.location code. Basically what I would like to accomplish is to create a connection with the server via ajax, send a servlet on that server the url I would like the user to be redirected to, and then redirect the user to that URL. So that for however long it takes the user to connect to my server from wherever they are in the world they see a loading icon instead of a blank white page.
So to clarify exactly what I am trying to accomplish; I do not want to put window.location within the success of my ajax function (because that would be encompass two round trips), and I do not want to return a huge chunk of HTML for the requested resource and add it to the page. I want to establish a connection to the server with ajax, send a servlet the URL the user wants to go to, and then somehow override the ajax function to redirect that user. Is this possible?
And I know some of you might think this is stupid but it's not when you're talking about overseas users with slow dial up connections staring at white pages. If it's possible, I'd love to hear some insight. Thank you very much!
First, let me say that the best solution is finding what is causing the slowness and fixing it.
Now as to your question, yes you could do it. You could even shoehorn it onto an existing application. But it wouldn't be pretty. And it comes with it's own set of problems. But here are the steps:
Browser calls ajax cache service requesting "somepage.html"
Browser loads loading icon
Server creates somepage.html and caches it in a temporary cache, (ehcache or other library would be good, probably with file backing for the cache depending on size)
Server responds to ajax request with ID for cached page
Browser now redirects to "somepage.html?cacheId={cacheId}" where the id is from the ajax call.
Server uses a filter to see if any cache can be served up for the page instead of the actual page, thus speeding up the request.
Having said that, it would be better to just have the new page load quickly with a loading icon while it did any of the heavy lifting through ajax.
You can't do an AJAX request and a location change in one. If you want to do only one request you have to choose one of those methods. ie. return some data and replace content on your current page, or load a completely new page.
It doesn't make any sense to want to want to do both. What you could want is stateful URLs; where your URL matches the content displayed, even if that content comes from an AJAX request. In that case an easy solution is the use the # part of the URL which you can change freely (window.location.hash). Some modern browsers support changing the whole URL without causing the page to reload. I've used # with great success myself.
My Servlet response type is html and my response contains a hyperlink to another web site.So, now i want to capture the information about whether the user clicked the link or not? and also calculate the total clicks? i am using Tomcat 7 as a server.
Is this possible in setting response header (302 or 404)?...
Please Guide me to get out of this issue?
Yes, you can use a 302: instead of providing the link to the other website, you provide a link to your own servlet, do your accounting and then send back a redirection (301/302) http status with the other web-site URL in the response Location header.
This maybe a bit simplistic though, since the user will leave your original page (is this what you want ?) and search engines may not like this if your web app is public.
I think right now you are redirecting the request(link for another website) at client side.In this approach your server cannot get the information about the click.
What you can do create a servlet and call this servlet on click now this servlet is responsible to redirect the request to another website. Add an static integer counter and increment this when servlet call each time.
Use the method setStatus():-
setStatus(HttpServletResponse.SC_FOUND);
or
setStatus(HttpServletResponse.SC_NOT_FOUND);
I'm having a problem in identifying a session timeout page and a page navigated directly...
user will first fill a form and submits it, based on the search he will land on information page. for some reason if he try to type the url of information page instead of coming through search page how can i restrict him?
i tried using an indicator varaible in session, but that is getting in conflict with session timeout.... how do i differentiate if it is session timeout or direct navigation?
could someone please shed some light on this and point me in right direction?
From my understanding your question is:
User should not be able to access a certain page say Page1.xhtml directly. He should first fill in a form on page2.xhtml and then should be directed to this page by the server itself.
Solution:
You could put the page1.xhtml inside web-inf directory of your webapp, which will restrict direct access to your webpage.
You could you use securityConstraint tag of the web.xml and make use of container security to restrict direct access.
You could test for a server side session timeout as follows:
if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
// The session has been timed out (or a hacker supplied a fake cookie).
}
The request is here the HttpServletRequest which you can obtain in the JSF context from the ExternalContext#getRequest() or, actually better, inside a Filter by just downcasting the ServletRequest argument.
As a completely different alternative, you could also introduce a timed ajax poll as a "heartbeat" so that the session never expires as long as the user has the page open in the browser.