Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.help > #2711

Re: Preventing Typed URLs From Being Used

From Daniel Pitts <newsgroup.nospam@virtualinfinity.net>
Newsgroups comp.lang.java.help
Subject Re: Preventing Typed URLs From Being Used
References <kmecaj$n92$1@dont-email.me>
Message-ID <CMyit.1705$mC6.475@newsfe15.iad> (permalink)
Date 2013-05-08 13:42 -0700

Show all headers | View raw

On 5/8/13 1:28 PM, Steve wrote:
>
> Hi,
>
> My boss asked me to alter our Java Webapp such that users cannot go to
> places in our Webapp by typing URLs into their browser location bar.
This is usually an indication of either a misunderstanding of the web, 
or a misunderstanding of security.  If I were in your situation, I would 
ask what the actual problem they are trying to solve is.
> I told her that I can not disable their location bars.
In general, you can not control what the user does.  You can attempt to, 
but the end-user can do things that are disabled by the browser using 
extensions or command-line utilities, or scripts they write themselves.
>
> I told her the way this is usually done is to launch a WebApp in a new
> customized browser window sans a location bar.
>
> That was not acceptable to her.
That comes closer to solve the problem, but not entirely.  It also is a 
bad user experience to interfere with users standard uses.

> I already have a Java Filter class set up to enforce various rules.  So,
> I was thinking of this approach
>
>
> 1. Implement a system wide "writeFlagCookie" javascript function to
> write a cookie anytime a user initiates a GET by clicking on a link or a
> button.
>
> 2. Everywhere the WebApp does a redirect or a forward, put a flag
> variable, say "wasRedirected" into the HTTP session.
>
> 3. In my Filter, intercept each request and check for the request type.
>
> 4. If it is a POST, I know a human didn't type the URL into their
> browser, so I automatically let it through.
Though I could use curl to type a URL and send data. I could also update 
the URL in the form HTML.

>
> 5. If it is a GET, look for a javascript generated cookie, or the flag
> stored in the session to indicate a redirect or a forward.  If I find
> neither send the user back to the page they just tried to leave from.
What if they are doing multi-tab or multi-window browsing?

> Though it will be a lot of work, it sounds too simple to be adequate.
It is. You need to understand what the actual requirement is (breaking 
the users browser is an attempted solution, not an actual problem to be 
solved).

> Is there anyway this approach can bite me in the ass?
Yes, it solves nothing, it break tabbed browsing, and leads to other 
poor user experience.

> Any other constructive thoughts?
Find a job at a better place?

Back to comp.lang.java.help | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Preventing Typed URLs From Being Used Steve <tinker123@gmail.com> - 2013-05-08 16:28 -0400
  Re: Preventing Typed URLs From Being Used Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2013-05-08 13:42 -0700
    Re: Preventing Typed URLs From Being Used Steve <tinker123@gmail.com> - 2013-05-08 16:47 -0400
      Re: Preventing Typed URLs From Being Used Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2013-05-09 07:58 -0700

csiph-web