How to disable GET requests to JSP page? -

-

I am fixing some old flaws and as part of a flaw, I need to make sure that some requests are only being posted is a form instead of JSP page application for a gET request, which presents another JSP page data do (I know against its wrong and MVC but it's too late to fix ), Because it is a JSP page Land, so we do not or can post requests so we can get request. In the case of malicious users, read the form and http: // host: 80 / somejsp.jsp? Param = value and param = value can send request as a GET from the browser. In that case, it becomes a violation, I need to ensure that a GET request has not been processed in a way to do this, follow the steps below in jsp page - 

  if (request.getMethod (). equals ( "gET")) {// the user reroute is not because it is a valid REQ}

are there any other advantage The way?

two solutions:

  1. a Lt; Security-lock & gt; is an empty & lt; Auth-constraint & gt; & lt; Url-pattern & gt; * jsp and & lt; Http-method & gt; On GET on which on JSP files for all will block request (as suggested by McDowell): 

      & lt; Security-lock & gt; & Lt; Display-name & gt; Restrict GET requests to JSP files & lt; / Display-name & gt; & Lt; Web resource collection & gt; & Lt; Web-Resource-Name & gt; JSP file & lt; / Web-resource-name & gt; & Lt; URL pattern & gt; * Jsp. & Lt; / Url pattern & gt; & Lt; Http-method & gt; Received & lt; / Http-method & gt; & Lt; / Web resource collection & gt; & Lt; Auth-constraint / & gt; & Lt; / Safety-barrier & gt;    
  2.  
     Create a  filter , which is  & lt; Url-pattern & gt;  of  * .jsp  and basically does the following in the  doFilter ()  method. If (((HttpServletRequest request)) KgetMethod () K equivalent ( "GET")) ((Actiteepisrvet response) response) .andarrr (Actiteepisrvet response. Ssi_mattiodiooanooaoeload); } And {chain.doFilter (request, response); }

There is no need to be copied on all JSP pages that only Avadstet Akspasn Is prone to: The response is already committed errors


Comments

Post a Comment

Popular posts from this blog

python - rename keys in a dictionary -

-
I want to change the names of keys in a dictionary which are ints, and I need them so that the inputs with key zero They can sort correctly. For example, my keys are like this: '1', '101', '11' and I may need them: '001', '101', '011' What is doing, but I know that there is a better way tmpDict = {} in the ADC for the old: t MpDict ['% 04d'% int (olden)] = addict [oldkey] New controlled = tmpDict You are going wrong about this if you want to draw entries on a line in a specific way, then you have to sort on the extraction. for sorted (D, key = int): print '% s:% R'% (k, d [k])
Read more

windows - Heroku throws SQLITE3 Read only exception -

-
After I deploy the app to Heroku, I have to run migration scripts and get this error message ... ITES \ padrino \ prophetmargin & gt; Heroku Rack AR: Rack mutated! SQLite3 :: ReadOnlyException: only one try to write database to read: CREATE TABLE "schema_migrations" ( "version" varchar (255) NOT NULL) /disk1/home/slugs/215264_925fd2c_65a3/mnt/.bundle/gems/gems/ padrino-core- is 0.9.11 / lib / padrino-core / cli / rake.rb: 9: in `init ' how can this be? I also tried to run Heroku dbpush SQLite: //db/my-db.db and that did not work Horoku sqlite3 but using postgres does not do. I'm not sure why you are receiving this error, however, as I have used sqlite3 in development and when pushing it into its travel, they do some magic which migrates to postgrads. I'm absolutely sure how Heroku does 'backwash' this database but it seems that this is happening to you because it's the SQLite db file which is obviously due to Heroku's...
Read more

lex - Building a lexical Analyzer in Java -

-
I am currently learning lexical analysis in compiler design. To know how a lexical analyzer actually works, I am trying to build myself. I am planning to make it in Java The input to the lexical analyzer is a .tex file that is of the following format. \ section {script} {intro} \ section {Scope} arbitrary text \ section {relevance} uncontrolled text \ subdivision (profit) arbitrary text \ subsubsection {in real life} \ subdivision {Ingredient} \ end {document} The output of the lecture may be a table of contents with a page number in another file. 1 Introduction 1 1.1 Scope 1 1.2 Relevance 2 1.2.1 Benefits 2 1.2.1.1 Real life 2 1.2.2 loss 3 I hope that This problem is within the scope of Language Analysis Read the .exe file and check '\' and continue to check whether it is actually on search In the sectioning command is set to indicate whether or not a flag variable is the type of sectioning. I hope the above approach will work for the construction of Lexa...
Read more