How to make Servlet recognize caller JSP and session

Question

I am building a simple WebApplication using servlets. I am a beginner but have tried to learn the most of this technology. There is something I cannot figure out. One of my servlets is the useful BalusC FileServlet

http://balusc.blogspot.mx/2007/07/fileservlet.html

It responds to GET requests with the required file, nice and clean.

I use this FileServlet to serve CSV files for a Dygraph

http://dygraphs.com/

I have two types of users: guests and admins. Guests should be able to SEE the graph BUT NOT be able to DOWNLOAD the CSV file. Admins should be able to do both.

The fileServlet responds to URL-patterns as: file/* (* is the filename), and it is VERY convenient as the Dygraph reads for a file as specified in an URL.

There is a loginServlet built within this webapp, and I want to be able to avoid the fileservlet to GIVE the file if the user just copy-pastes the URL that is given for the Dygraph. The FileServlet is already capable of getting the session and loggeduser from that session, but I don't know how to detect what was the page that called the GET method. I want the fileservlet to serve the file ONLY when called from within the JSP code, and not from the browser's address bar.

Let me explain a bit:

I mean -as a guest user- the following Javascript code should display the graph (the FileServlet serves the file)

<div id="graphdiv2" style="width:640px; height:480px;">
<script type="text/javascript">
g2 = new Dygraph(
document.getElementById("graphdiv2"),
"${messages.rutacsv}", // path to CSV file
{
rollPeriod: 10,
showRoller: true
}
);
</script>            
</div>

The variable: "${messages.rutacsv}" gets replaced by the servlet for something that looks like this:

"file/2012-04-20_1.csv"

So the Dygraph loads the file nicely and plots the lines.

BUT, I want the FileServlet to be able to detect when the user copypastes this URL after the ContextName and block it, so only the Dygraph can download the file.

For example, if the user types in his browser:

http://localhost:8080/MyWebApp/file/2012-04-20_1.csv

It shouldn't be able to download it. Only admins should be able to.

NOW, I am thinking that maybe I should implement the FileServlet so it has to be called with another URL pattern or with a POST method so a simple user copy-pasta can't get past the "origining-JSP" check.

BTW, I'm coming back from trying with Struts2, which is by far too complicated for this application. I abandoned it for convenience and ease of development with simple servlets and JSPs.

Answer 1

Use a filter to check a user role. That's, before the any important action is necessary to check whether the user has a right to this action. This is the task servlet filter.

You must implement the method doFilter() in your class extending javax.servlet.Filter as follows:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws   IOException, ServletException {

    HttpServletRequest req = (HttpServletRequest) request;

    HttpSession session = req.getSession();

    String currentRole = (String) session.getAttribute("userRole");

    if ("admin".equals(currentRole)) {
         successRedirect(); 
    } else {
         failRedirect();
    }
    chain.doFilter(request, response);
}

And don't forget map this filter to the needed address in the web.xml file:

<filter>
    <filter-name>CheckRightAccessFilter</filter-name>
    <filter-class>yourproject.CheckRightAccessFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>CheckRightAccessFilter</filter-name>
    <url-pattern>*.csv</url-pattern>
</filter-mapping>

Answer 2

Use servlet filter who check the submiited url and on the basis of the session object it identifies the user role. If it finds the authorized user then it can redirct to the download page