SpringMVC: How to prevent client directly visit a JSP view? - spring

I am using SpringMVC to make a simple web app.
My controller request mapping is like this:
#RequestMapping(value = "index.html")
public String index(Model model) {
model.addAttribute("type", "index");
return "index";
}
When I use visit the following URL:
http://localhost:8012/MyCloud/index.html
Things work fine and I can see the properly rendered /views/index.jsp.
But if I directly visit the views/index.jsp file with the following URL, the URL is indeed visitable. And an ugly 500 server error because apparently, there's no attribute named "type" been set so NullReferenceException is thrown.
http://localhost:8012/MyCloud/views/index.jsp
By mapping request to *.html URL, I want to trick my customer into believing they are visiting plain HTML page. But if they somehow managed to know my JSP view locations and visit them directly, they will see ugly errors.
Can I prevent this?
Shall I use an error page?

Servlet containers won't serve any content in WEB-INF. By putting your JSPs there, you prevent anyone from directly accessing a JSP by navigating to it in the browser by name.
so move all your JSPs to the WEB-INF folder, and user will not be able to directly access the urls, while the controller code will be able to render the UI properly with them.

You can cofigure a error page in web.xml
<error-page>
<location>/general-error.html</location>
</error-page>

Related

How to remove default index.html mapping in spring boot?

I'm using Spring boot + React JS in my application.
When user logins to the application, I'm building user details object inside my controller and puts the user details object into session attribute. Then controller tries to return ModelAndView object with views as index.html.
Sometimes index.html is rendered first by default before calling the user details method. I wants to remove this default index.html mapping behavior and always it's has to render from controller's MAV.
I tried couple of options by putting setCachable as false and must revalidated header but nothing worked out for me.
Appreciate any assistance on this.

Is there any way to set custom headers and make a get request in jsp page without ajax

Is there any way to redirect to spring controller from a jsp page with custom headers.
I don't want to do a GET/POST request using jquery ajax.
I want to do a complete redirect to another page..
Please help.
Maybe. Note: Changing the headers isn't possible if your JSP has written something, so the "redirection" needs to be the first thing on the page.
What you can do is use jsp:include to include another page. If your JSP doesn't output anything else, that will work very much like a redirect. You can use
<%if(...){%>
<jsp:include ...>
<%}else{%>
...no redirect...
<%}%>`
to create alternatives to make sure nothing is written to the output.
The next step is then to get the controller bean from Spring and call the methods directly. Note that you'll have to replicate a bunch of Spring's conveniences (like converting the result of the method into bytes sent to the browser). But Spring isn't doing any magic; eventually everything is Java code somewhere which you just have to call manually.

Java Web app: Welcome file list

Should the welcome file mentioned in welcome file list tag always be physically present?
i.e. jsp, html etc. Or can it be a URL pattern?
I defined a welcome file list in the web.xml as:
<welcome-file-list>
<welcome-file>/home</welcome-file>
</welcome-file-list>
/home downloads a JSON file from the server to display on the browser. But whenever I start the application, it does not take me to the following page: http://localhost:8080/myapp/home. Instead it always goes to http://localhost:8080/myapp/ only. Please advise what am I doing wrong.
it does need to have a physical file on your webapp folder for a welcome file to be found even if some kind of controller will treat the request, for example, if you have a JSF app and the FacesServlet only handles requests of type *.faces on your app you should place an empty file called home.faces under your webapp folder, so it can be correctly mapped, on your case I guess the issue is slightly different, you want to fetch data from the server side and display it on the browser when user first lands on your app, so what you can do is actually:
Create an HTML called home.html as your welcome file with an empty div as a placeholder for your data.
Use a Javascript library or do an AJAX call to fetch the JSON from the server side
If the result call is OK, render the placeholder DIV with data fetched from server.

restricting a user's direct access to JSP

I have trouble with restricting user access to some pages. I send an ajax request to servlet. In ajax success I want to redirect a page to another page based on condition. But i set a servlet constraint in web xml, so redirection results in error with 403 code. response.sendredirect also does't work as it is an ajax request.
Any ideas? please, help me to do this redirection with relevant restrictions.
There is a very easy solution for your problem.
That's to put the jsp files(which you don't want to be accessed by users directly) inside WEB-INF folder. The reason? Well,everything inside WEB-INF folder is by default private members of the whole application. That means that, these files can only be accessed by programs i.e. servlets.
So if any user try to directly access the jsp pages, he/she will get "Http 404" error.
In this way you may restrict user access to specific files.

web.xml error-page does not display image

I have an error.html page which I want to redirect to when a user comes accross Error404 for example. The below is working:
<error-page>
<error-code>404</error-code>
<location>/error404.jsp</location>
</error-page>
However, my error404.jsp file contains an image which doesn't get displayed when user is redirected. If I just type in the URL, the full page with image is displayed. But if a user tries to do something which reports error 404, the error404.jsp file gets displayed without the image.
I also tried with having an error404.html but I get the same problem...
Do you have any ideas why this is happening?
Many thanks
Ena
When the error page is rendered, its content is returned in the HTTP response without a redirect. This means that the browser still 'sees' it in context of the URL of the request that had an error. So any relative resource links (images, css, etc.) will be relative to the current page's URL.
So if you have the following setup:
image1.gif in images folder
error404.jsp that references the image as "../images/image1.gif"
You will find that typing http://yourserver.com/YourContextRoot/error404.jsp works fine, but when you use http://yourserver.com/YourContextRoot/path1/path2/missingPage it tries to look for the image in the wrong path (i.e. under /YourContextRoot/path1/images/image1.gif).
The solution is to use JSP EL or scriptlet to create a server-relative link (i.e. starts with a '/'), by including context-root:
<img src="${pageContext.request.contextPath}/images/image1.gif" />
I hope that works!

Resources