In my application I have used JSON auto suggest functionality to suggest name of user id when stored in cache.
So when ever I try to hit the URL the response is getting back the fully qualified email address, PFB -
Request - https://wwwsampleweb.com/tc/servlet/AjaxServiceServlet?qtc=james*
it is returning the response -
{identifier:'name', items: [ {name:'james.goodlife#abc.com', label:'james.goodlife#abc.com'}]}
How to stop the response when directly accessing the URL?
I have tried to verify the session but this servlet is used for auto sugggesting the username while logging in which means session is not created status. Also we can block the IP but we cannot block all IPs.
Could you please assist me how we can stop this?
Thanks!
I'm missing the value of username-suggesting at a login-form, but anyway;
I assume that you are requesting the data using a GET-request?
If you would like to prevent anyone from accessing the URL directly and retrieving data, you could use a POST-request and then only return data when the page is accessed through a POST-request (optionally combined with the session-check).
Please keep in mind that this is not a bullet-proof way of preventing use.
Related
I have a servlet, called 'insert' that inserts data in a db.
At the end of this servlet I have a getRequestDispatcher that sends the user to a page called 'outcome.jsp'. My servlet send also a variable to outcome.jsp with request.setAttribute("Message", "bla bla bla");
In outcome.jsp i have a request.getAttribute("Message"); and i show to the user the value of Message.
On the browser url there's always the url of my servlet (http://www.site.com/insert), so the user could use the reload button of the browser and makes the insert 1000000000 times.
I tried using response.sendRedirect but i cant use request.setAttribute, and i need it to show message about the insert outcome
How can i avoid the url of my servlet is shown on the browser url in order not to allow user to make infinite inserts by using the reload button?
Thank you
Which ever of the two methods you use you will still have the same problem (Even in the case of sendRedirect() by capturing and reproducing the request header by the user ). The check of double inserting should be done separately.
Usually, if you want to disable a double entry from a client, you can create a token and send it to the client. When the client wants to make an insert, you can check if this token is valid and then do the insert (AND then remove token from the valid list).
That is just one of many ways....
Hope this helps
If use response.sendRedirect(), a new request will start so you can not access the data you set for your previous request, to show the data you have to use the query parameter, that will append to URl
response.sendRedirect("/outcome.jsp?Message=bla bla")
In your jsp page you need to read as
request.getParameter("Message")
Reading below link , I could note that "doGet() allows bookmarks".
http://www.developersbook.com/servlets/interview-questions/servlets-interview-questions-faqs.php : search "It allows bookmarks"
Can anyone tell how and what is the use of it ?
All the parameters of GET request are contained in the url so when you are requesting for a resource using GET request, it can be formed using request URL itself.
Consider an example www.somesite.com.somePage.jsp. This generates a GET request because we are asking for a resource somePage.jsp.
If you are asking for a resource, then it is the GET request.
GET requests are used to retrieve data.
any GET request calls the doGet() method of servlet
GET requests are idempotent, i.e. calling the same resource again and again do not cause any side effects to the resources.
Hence, a GET request can have bookmarks
EDIT :-
As suggested by Jerry Andrews, POST methods do not have the query data unlike GET requests to form the resource properly with the help of only url. Hence they are not bookmarked.
It means that If you bookmark the URL of the servlet that has doGet() implemented, you could always get the same page again when you re-visit. This is very common when you have searches, link for products, news, etc.
Actually i want to use the textbox value and set the session parameter in the same JSP page without submitting it or like using request or response object. This textbox value i want to use in the same JSP page for further use. How can i access the value of a text box in the same page?
You could either utilize the new HTML5 local storage (only supported in the more recent/modern browsers), or you could create a session cookie in JavaScript and store the value in there.
Note that none of those approaches will affect the server side HttpSession in any way. For that you simply can't go around sending a HTTP request containing the desired information, as that's the only way to send information from the client to server side. You could however consider using ajax to send the HTTP request asynchronously and fully transparently in the background.
I am working on a Web application and need to pass data across HTTP redirects. For example:
http://foo.com/form.html
POSTs to
http://foo.com/form/submit.html
If there is an issue with the data, the Response is redirected back to
http://foo.com/form.html?error=Some+error+message
and the query param "error"'s value is displayed on the page.
Is there any other reliable way to pass data across redirects (ie HTTP headers, etc.).
Passing the data as query params works but isn't ideal because:
its cleartext (and in the query string, so SSL cant be relied on to encyrpt) so I wouldn't want to pass sensitive data
URIs are limited in length by the browser (albiet the length is generally fairly long).
IMPORTANT: This platform is state-less and distributed across many app servers, so I can't track the data in a server-side session object.
From the client-server interaction point of view, this is a server internal dispatch issue.
Browsers are not meant to re-post the entity of the initial request automatically according to the HTTP specification: "The action required MAY be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD."
If it's not already the case, make form.html dynamic so that it's an HTML static file. Send the POST request to itself and pre-fill the value in case of error. Alternatively, you could make submit.html use the same template as form.html if there is a problem.
its cleartext (and in the query string, so SSL cant be relied on to
encyrpt) so I wouldn't want to pass sensitive data
I'm not sure what the issue is here. You're submitting everything over plain HTTP anyway. Cookie, query parameters and request entity will all be visible. Using HTTPS would actually protect all this, although query parameters can still be an issue with browser history and server logs (that's not part of the connection, which is what TLS protects).
I think using cookies would be a reasonable solution depending on the amount of data. As you can't track it on the server side (by using a sessions for example, which would be much simpler)
You can store error message in database on server and reference to it by id:
http://foo.com/form.html?error_id=42
If error texts are fixed you even don't need to use a database.
Also, you can use Web Storage. Instead of redirection with "Location" header you can display output page with this JavaScript:
var error_message = "Something is wrong";
if( typeof(Storage) !== "undefined" ) {
localStorage.error_message = error_message;
else {
// fallback for IE < 8
alert(error_message);
}
location.href = "new url";
And after redirection you can read localStorage.error_message using JavaScript and display the message.
I wants to know that How can i Manage Session if the client browser has disabled cookie feature..
If I wants to implement it in simple JSP - Servlet, then how can I do that ?
Thanks in advance...
Without cookies, you have two options. The first is passing a sessionId through Urls. This requires a lot of work on the server because every url you send back must have a sessionId appended to it (usually in the form of a query string parameter). For example:
/path/to/page
becomes
/path/to/page?sessionid=ASDFG-ASDFG-ASDFG-ASDFG-ASDFG
The other option you have would be to combine what information you have via http into a "unique" key and create your own session bucket. By combining the Http UserAgent, RemoteIp and RemoteXfip you can get close to uniquely identifying a user, but there is no guarantees that this key is 100% unique.
In the JSP side, you can use JSTL's <c:url> for this.
link
Easy as that. It will automagically append the jsessionid when cookies are disabled.
In the Servlet side you need HttpServletResponse#encodeURL() or -usually the preferred one inside Servlets- HttpServletResponse#encodeRedirectURL() for this.
response.sendRedirect(response.encodeRedirectURL("page.jsp"));
url rewriting
http://www.developertutorials.com/tutorials/java/implement-session-tracking-050611/page5.html
Each URL must be encoded using response.encodeURL("page.jsp")
This will add the Session ID onto the end of each URL so cookies do not have to be enabled.
Note that you will have to do this manually for every single URL in order for it to work.
See this link for more info.