WebApp Sec mailing list archives
Re: JSP Security - Limiting URL's
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Mon, 9 Dec 2002 21:10:46 -0500
If you have a site (or part of a site) where users are supposed to access pages in a particular order, this is THE way to solve the problem. I call this "flow control" as opposed to access control. Essentially, you set up a state machine on the server side that controls the transition to the next page. One nice side-effect is that there only a single URL for the entire site. The biggest downside to this model is that you can't just link into any page within the site. The only way to certain pages is to go through all the steps. This will also make it difficult for spiders to index your site, as some of them give up when many pages share the same URL. In addition, you are quite likely to have problems with the 'web application firewall' products, as many use the URL as a key for what policy to enforce. So, the article is right on. I do have a few minor comments below on the implementation. I found the author's implementation a little difficult to follow. Trying to centralize the state machine can make things within a web app real complicated. I think a more OO way is to implement put each page in charge of deciding which pages can send requests to it. Of course this depends on the size and complexity of the state machine and how often you think it'll change. If you look closely at the article, you'll see that the author had to work hard to deal with the "multiple window" problem. State machines don't like getting requests out of order, so if you have two windows open at the same time, everything gets botched up. The author invented a "smID" parameter that has to go on every page to deal with this -- then calls it a "feature." --Jeff Jeff Williams jeff.williams () aspectsecurity com Aspect Security, Inc. www.aspectsecurity.com ----- Original Message ----- From: securityarchitect () hush com To: webappsec () securityfocus com Sent: Monday, December 09, 2002 5:42 PM Subject: JSP Security - Limiting URL's http://www.onjava.com/pub/a/onjava/2001/06/27/java_security.html Can anyone see a downside to this ? Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- JSP Security - Limiting URL's securityarchitect (Dec 09)
- Re: JSP Security - Limiting URL's Jeff Williams @ Aspect (Dec 09)
- Re: JSP Security - Limiting URL's Andrew Jaquith (Dec 10)
- Re: JSP Security - Limiting URL's Steve Posick (Dec 10)
- Re: JSP Security - Limiting URL's mlh (Dec 10)
- Re: JSP Security - Limiting URL's Jeremy Poteet (Dec 10)
- Re: JSP Security - Limiting URL's Jeff Williams @ Aspect (Dec 09)