how to restrict direct access to url in spring
Question
In a web application, when a user visits a students list page, the screen shows list of student names with hyperlinks. Only those student names are shown which the user is allowed to see. When user clicks on the hyperlink, a new window opens showing the details of the user. The child window's address bar shows the url as follows.
myhost:8080/studentID=100
The problem is that the user could change the value of parameter studentID and get the details of some other student which he/she is not eligible to see (hence not shown in the previous list screen). This is a security issue - url manipulation.
I could think of some the ways we could prevent this.
3 answers
solution1
1 2014-04-01 08:48:05
Implement Role based security using Spring Framework
For tutorial You may refer:
http://www.mkyong.com/spring-security/spring-security-access-control-example/
solution2
0 2014-04-01 08:18:27
You need to use cookies and unique session ids. So a user logs in and is given a unique key which is corresponding to a database table with these temporary access token or session id. Usually these tokens are only valid for a period of time. On the server side you can test the cookie value to database and redirect users that are not allowed access. Good luck, your asking the right questions just keep going!
solution3
0 2014-04-01 08:21:22
You don't need to open separate window. Here is some example. Im using Jquery here.
<script type='text/javascript' src='http://code.jquery.com/jquery-1.6.4.js'></script>
Sample HTML
<div id="blockbox" >
<div class="contents">
<div id="data"></div>
<div class="close">close</div>
</div>
</div>
<div>
<a href="#" stid='1'>Name1</a>
<a href="#" stid='2'>Name2</a>
<a href="#" stid='3'>Name3</a>
<a href="#" stid='4'>Name4</a>
<a href="#" stid='5'>Name5</a>
</div>
CSS
div.contents
{
color:#111;
font-family: "Calibri";
background-color: #eee;
text-align: left;
min-height: 100px;
box-shadow: 0px 0px 7px #000;
position: absolute;
width:200px;
height: 10px;
margin-left:20%;
margin-top:20%;
padding: 16px;
z-index:2000;
display: inline-block;
}
div.contents .close
{
width: 20px;
height: 24px;
position: absolute;
top: 0px;
right: 30px;
cursor: pointer;
}
Jquery
$(document).ready(function(){
$("#blockbox").fadeOut(0);
$("div a").click(function(e){
e.preventDefault();
$("#blockbox").fadeIn(100);
//$("#data").html($(this).attr("stid"));
//This will sent studentID to relevent page
//and retrieve the result
$.post("myhost:8080",
{
studentID:$(this).attr("stid"),
}
).done(function(data) {
$("#data").html(data);
});
});
$(".close").click(function(e){
$("#blockbox").fadeOut(100);
});
});
Your server side script catch the studentID sent by the $.post method. Im using php here
<?php
$studentID=$_POST['studentID'];
//echo student details
?>
Then data variable catch the response and added it to #data id
.done(function(data) {
$("#data").html(data);
});
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.