[Esapi-user] ESAPI.httpUtilities().sendRedirect()

Jeff Williams jeff.williams at aspectsecurity.com
Wed Aug 24 10:28:46 EDT 2011


Right on, John.  Sounds like the useraccount.jsp should be in WEB-INF to prevent forced browsing.  

--Jeff



On Aug 24, 2011, at 8:38 AM, "John Melton" <jtmelton at gmail.com> wrote:

> Ashish, 
> My suspicion is you're using the sendForward method (not sendRedirect as your email states). If you're using sendForward (and the DefaultHTTPUtilities), then you must send to a resource within the WEB-INF. This line is from DefaultHTTPUtilities
> 
> if (!location.startsWith("WEB-INF")) {
>     throw new AccessControlException("Forward failed", "Bad forward location: " + location);
> }
> 
> Hope this helps.
> 
> Thanks, 
> John
> 
> On Wed, Aug 24, 2011 at 5:22 AM, ashish kumar gautam <gautamashishkumar at gmail.com> wrote:
> 
> Hi….
>  
> i am using ESAPI.httpUtilities().sendRedirect() method for redirect. 
> 
> Code is like this: ESAPI.httpUtilities().sendForward("useraccount.jsp");
>  
>  
> I have set log4j.xml  and set the path for log4j.xml like this
>  
>  -Dlog4j.configuration=" D:\Projects\infosystem\WebContent\WEB-INF\log4j.xml"
>  
> But I have got an exception:
>  
> 
> org.owasp.esapi.errors.AccessControlException: Forward failed
>       at org.owasp.esapi.reference.DefaultHTTPUtilities.sendForward(DefaultHTTPUtilities.java:791)
>       at org.owasp.esapi.reference.DefaultHTTPUtilities.sendForward(DefaultHTTPUtilities.java:801)
>       at DataBaseConnection.doPost(DataBaseConnection.java:103)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
>       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>       at java.lang.Thread.run(Unknown Source)
>  
>  
>  
> what wrong with my code ?
> 
>  
> 
> -- 
> Best regards,
> Ashish K. Gautam 
> 
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
> 
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110824/8742b224/attachment-0001.html 


More information about the Esapi-user mailing list