If you are talking about preventing the user from typing stuff into the URL box, it is my opinion that it is a waste of time to approach the problem in this way. You can't prevent the user from typing whatever they want into the URL box. Period. So, don't try to build anything based on the flawed assumption that you can.
Instead, implement security for your application. The user logs in, the app gives good responses when the user makes a request they are allowed to make, it tells them when they make a request for something they aren't allowed to access, and what they have or have not done in previous requests is mostly irrelevant (exceptions: logging in, creating widget 12313234 before trying to edit widget 12313234, etc. -- but no fancy activity tracking solely for the sake of security). If there are resources/URLs that no one should access (like JSPs, as described below), lock them down so your server simply won't serve their content no matter who makes the request. Start by reading SRV.12 Security from the Servlet Spec: http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html If you are asking about preventing users from bypassing the Struts action servlet and making requests for JSPs directly, here are some solutions: 1. Put all the JSP files in a directory under /WEB-INF in your war file structure. For example, you could put them in /WEB-INF/jsp. The web container (e.g. Tomcat) disallows direct requests for items under /WEB-INF, but still allows server-side forwards (which is what Struts does) to these resources. 2. Use your app's security system to disallow direct access to your JSPs. For instance, require some role that no one has to access resources with the url-pattern *.jsp. -Max On Wed, 2005-10-05 at 13:42 +0100, [EMAIL PROTECTED] wrote: > Hi, > > Can anyone advise on how to encode the session Id so that a user cannot > just type in the URL and get to the jsp? > > For example my user can create a client form creatClient.jsp but can > also go straight to the editClient.jsp by adding it to the URl and I > want to stop this > > Thanks > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
