WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Preventing direct URL access in a J2EE environment

From: "Roberto GABERGI" <Roberto.Gabergi () axiliance com>
Date: Fri, 6 May 2005 11:05:02 +0200
For our application, we would like to prevent users
from requesting application resources directly.
E.g. browsing to http://localhost/app/method.do?id=5&type=3 
instead of actually clicking on a link that the application provides.


You can do that without any code writing.
You must only install an application firewall in front of your Web application.
The application firewall must have a session manager feature to enable or disable browsing on a specific page.
This feature is sometimes called "Dynamic White Page".
When actived, only specific URLs (start pages defined by administrator) can be used to enter in the web app.

Best Regards,

Roberto GABERGI (mailto:roberto.gabergi () axiliance com)
AXILIANCE - http://www.axiliance.com
Web Application Firewall, Citrix ICA Security and Web Single Sign-On


-----Message d'origine-----
De : Kevin Conaway [mailto:kevin.conaway () gmail com] 
Envoyé : mardi 1 mars 2005 16:20
À : webappsec () securityfocus com
Objet : Preventing direct URL access in a J2EE environment

For our application, we would like to prevent users from requesting application resources directly.  E.g. browsing to
http://localhost/app/method.do?id=5&type=3 instead of actually clicking on a link that the application provides.

We would like to do this without a major impact on our code.  I was thinking of using the following scenario:

- Currently we have tag libraries that help build all our URLS.  These tag libraries would be modified to include a 
strong cryptographic token that is unique to each URL/User combination.  - The token/URL combination would be stored in 
the application context for a pre-determined amount of time.

- Next, we would use a Servlet filter to intercept the URL.  First, deny URLS requested without tokens. If a token is 
passed, verify that matches the token stored in the application context for the requested URL.

For the token, I was considering using SecureRandom to generate a random number and compute a hash of the random number 
and the URI being requested.  This would be stored along with with URI and the user Id.

Could anyone point out any pitfalls I need to be aware of, or if I'm going about things the wrong way?

Thanks

Kevin
Previous By Date Next
Previous By Thread Next

Current thread: