Ever visit a website such as myspace where they leverage CAPTCHA to prevent spam? The typical pattern is to present a challenge to each URL that is opened, yet the challenge doesn't actually belong to the page itself which causes additional bandwidth usage.
So, if I open up six pages at the same time and want to present a challenge on each page. I want the challenge to be tied to the page and not to the session. How can I make this work with Spring and/or Struts.
This depends largely on what you are using for rendering the pages. Spring MVC? Struts? You can tie components to pages in most of these frameworks.
You can also maybe think of a workaround where each page registers his captcha in the session in a seperate key, and have the page check against it's own value.
Related
I need to prevent duplicate form submissions for my customer's website.
we need some form data from user for order confirm page.
we use load balancing for web server.
Approach 1 : Post/Redirect/Get
(PRG pattern : http://en.wikipedia.org/wiki/Post/Redirect/Get)
I was trying to use PRG pattern at first.
in this case, I think I need to deal with session(or spring flashmap) across multiple web server.
Approach 2 : Disable refresh on client.
one of my colleague suggested this approach.
Approach 3 : Post/Post
another colleague suggested this approach.
I think approach 2, 3 is not a good choice.
but I do not know the specific cons or security risk about these approaches.
I tried to google, but I failed to find answer.
Thank you in advance.
[Edit]
I would like to update the pros and cons.
Approach 1 : Post/Redirect/Get
pros
Safe!
cons
if you need some form data from user to show it on confirm page, you need to use session ,database or something.
if you use session, and have more than one server, you have to do something to make session available across multiple servers.
Approach 2 : Disable refresh on client.
pros
cons
Users will get upset if you limit the browser standard features, like refresh.
need to consider F5, Ctrl+F5, ⌘ + F5 etc, various refresh icons.
In mobile, many web browser automatically refresh page when user reload browser.
Approach 3 : Post/Post
pros
You don't have to worry about session sharing issue across multiple servers.
cons
Second form submit can fail.
Approach 1 is a pretty straight forward method that solves some duplicate post issues. It won't cope with server lag and which is a reason for duplicate submission.
Approach 2 is nothing but wrong. Users will get upset if you limit the browser standard features, like refresh. That is, if you are even able to do so technically cross browser. You need to consider F5, Ctrl+F5, ⌘ + F5 etc, various refresh icons.
I must admit that I don't fully understand the intent of Approach 3, however, it feels a bit wrong to bounce the user to an empty page.
Another standard approach is to use a nounce with form posts. This will also help you avoid a security risk called Cross Site Request Forgery. It's pretty simple.
Generate a "unique" random string on the server, called nonce.
Insert the nonce into the database.
Attach the nonce to the form as a hidden field (or pass by URL or similar).
Make sure the nonce is sent along in the form post to server.
At server side, validate the nonce, remove nonce, "save form data".
Display confirmation page.
If you get another request with a non existing nonce, then you know it's either a duplicate post or some more evil CSRF attack.
You can probably find some support library that does this for you.
I have a security issue. I have a menu, which allows or disallows user to go to a certain page. It is simple, if user is disallowed to reach page, link to it is being hidden in the menu.
But, user still can enter direct URL in browser, and can reach page.
For example, I have CardPage, per link I can reach it using
setResponsePage(new CardPage());
or
setResponsePage(CardPage.class);
but still I can reach this page entering such URL:
http://127.0.0.1:8080/my-application-war/?wicket:bookmarkablePage=:com.my.application.CardPage
Is there is any way to forbid user to access this page per URL?
I can give you additional info on that question if there is something you need.
UPDATE
Had to do it manually, check on every page if it is allowed to be seen, and redirect to NotAllowedPage.
There are several ways to do this, like using Spring Security or Apache Shiro. But if you don't need anything fancy, I would just go with the functionality that is provided by Wicket itself. Just read Security with Wicket in the Wicket guide (which is by the way an excellence reference).
I have nearly 20+ pages from different Web application that a user can access once he login. I have this 'Recent Activity' section on my Home page where I have to show the last 10 visited pages by the user ( if possible along with date and time of visiting). The pages are jsp pages. I dont know how I can acheive this basically I am more a frontend developer so can I do this with jquery, jsp, js etc.. or anyother technoloiges. We use Java technology also. Please let me know any sample code or way of approach to do it.
Thanks
I am a php developer, not too familiar with jsp, but i am sure it would be the same logic.
You have 2 option here:
Option 1:
Create a database table and record all the user flow whenever the user access an application.
Option 2:
Save all the flow in a cookie variable so whenever the user logs in you can pull out all his info from the cookie variable.
Personally i rather use the option 1, because if the use clears out the cookie/session variable you will lose lo all the information.
Since i am not a jsp i can't providew with a sample code. Hope this get your started at least.
This information may be stored on Cookies or User Session.
If it's available on cookies, you can access and manipulate it using JavaScript or any other server-side languages.
Do you want some example on how to use it using JSP&Servlets?
There's pros and cons for each approach.
Cookies: User can cleanup private browser data, and cookies go away with it.
Sessions: You can store it in some database or log file, for future load or/and analysis.
Cons is the management of this data in any layer. But it's not a big problem.
For my college project I have to build a custom JSP/Servlet MVC application so I can't use frameworks such as Struts or Spring. I already have FrontController, Command, Service, DAO, Business layers.
Let's say I want to create a website with a sidebar and in the sidebar has the following widgets: Members, Who's Online, Recent Comments. Each widget accesses the database via Command -> Service -> Dao.
I want information to be displayed in the sidebar constantly throughout the application. Problem is I don't know how to do this. I know how to display information by processing GET/POST requests but I don't know how to display information (from database) without GET/POST requests if that makes sense?
Couple of ways I tried that don't work:
1) Upon loading the homepage and invoking the HomeCommand calls ListUsers from UserDao and then stores them into a session. But if the user enters the site from a different URL ListUsers won't be stored into a session.
2) Creating a separate Command: MembersCommand, WhosOnlineCommand, RecentCommentsCommand. Then use JSTL include to include the FrontController and to get it to invoke the Command. But include wants a .jsp
<jsp:include page="FrontController/members" />
Fragment "FrontController/members" was not found at expected path /MyApplication/WebContent/WEB-INF/FrontController/memmbers
3) Create individual .jsp's for each widget (members.jsp, whosonline.jsp) with Java code to access the Dao. Then use JSTL include. But how would I get it to go through the FrontController and isn't Java in jsp's a big no-no?
4) Use <jsp:forward page="" /> but this gives me a blank page?
I'm out of ideas?
check this tutorials for MVC architecture for java web applications. hope you can get some
insight
http://www.javaranch.com/journal/200603/frontman.html
Design Patterns web based applications
http://balusc.blogspot.com/2008/07/dao-tutorial-data-layer.html
Show JDBC ResultSet in HTML in JSP page using MVC and DAO pattern
I didn't understand all of what you are trying to say, but perhaps a servlet design pattern can help. Typically with a front controller, you access your persistent storage, and then store what you need to store in "session" or "request" scoped areas. However, since you talked about "another web site" I think you may need to store your data in the "application" type area. If you are using a servlet as a front controller, this area is accessed by getServletContext().setAttribute() and later your JSP page can just access the variable the same way as it does to session-scoped variables. I couldn't tell if your front-controller was a servlet or a JSP, but it doesn't matter because both are able to store application-scoped variables.
In a real business environment, this is not sufficient, because servlets are often shared amongst multiple machines, and can be re-started and stopped many times; and therefore any persistent information would have to be retrieved directly from the database. However, for a project, storing data in application-scoped variables is sufficient.
I know I missed a good part of what you were explaining, but my point is a front controller accesses (several) persistent storages, loads up all the data needed for the returned jsp pages into session or request or application variables(in this case) and the jsp file can be written to make use of all the data that had been stored in these variables.
I am about to start a totally new web project.
The project need to have different small window, which contain html generated from other web site.
One important requirement is when user submit a form in the window, NO refresh should be invoked on the other window.
My leader say let's look into jsr286 portlet (coz portlet sounds like window?). But after look into some example (pluto portal/jetspeed2), none of them support the requirement, whenever a window is submit, whole page is submitted.
My rough idea is to use iframe in each window, and let the iframe does the rest (like ref to external website, handle form submission).
Personally, I don't think iframe fit quite well into the portlet jsr286. And most of the window has nothing to do with each other, so processEvent is not compulsory.
So my questions is:
for a new project with such requirement (separate form submission), does it worth it to confirm to portlet jsr286?
If it does, how does the iframe works with different portlet modes(VIEW/EDIT/HELP) or window state(MAX/NORMAL/MIN)?
Thank you very much!
there's a good explanation here that you can point your team leader to. it says:
Mashups and portals are both content aggregation technologies. Portals are an older technology designed as an extension to traditional dynamic Web applications, in which the process of converting data content into marked-up Web pages is split into two phases: generation of markup "fragments" and aggregation of the fragments into pages. Each markup fragment is generated by a "portlet", and the portal combines them into a single Web page. Portlets may be hosted locally on the portal server or remotely on a separate server.
and, critically:
Portal technology is about server-side, presentation-tier aggregation.
so aggregation is done on the portal server (even when the portlet servers are separate - this is all driven by the need to make the server side scalable on big sites; it's not about clients combining from multiple sources). and that's why submission refreshes the whole page (because it has to load the new page from the portal).
which should help clear things up, since it sounds like what you are looking for is client-side aggregation (i don't think i'm telling you anything new here, but i'm giving you references in "enterprise speak" that might sound more convincing).
(so, just in case it's not clear, your requirements sound like you need a client-side mashup. portlets won't work because they are assembled server-side. iframes would work, but have some limitations (size, rescale, style / dynamic changes). i was going to suggest combining things on the client using javascript with backbone, but i am worried you'll have issues with pulling data from different sites because of the restrictions on what javascript from within a web page can access. looks like this article would be worth reading...)