堆栈内存溢出
  简体   繁体   English

限制从URL栏访问DWR(Easy Ajax for Java)

[英]Restrict Access to DWR(Easy Ajax for Java) from URL bar

 原文  2015-03-10 13:26:30       java/ ajax/ dwr

问题描述

I am using DWR , which is commonly known as Easy Ajax for Java . 我正在使用DWR ,通常称为Easy Ajax for Java

But it can be accessed directly via URL bar like this 但是可以像这样通过URL bar直接访问它 

http://localhost:8080/myProjectName/dwr/

from here I can execute each and every Ajax Call , which is considered as a threat to Application Security , 从这里我可以执行每个Ajax Call ,这被认为是对应用程序安全的威胁,

Is there a way to restrict this ? 有没有办法限制这一点?

1 个解决方案

解决方案1
 1 已采纳  2015-04-23 20:05:32

I'm not sure what you're trying to accomplish, but here are some suggestions: 我不确定您要完成什么,但是这里有一些建议:

in your servlet-declaration in web.xml . web.xml中的servlet声明中。 Set param-value to false and http://localhost:8080/myProjectName/dwr/ will return a 404 (page not found). 将param-value设置为false,并且http:// localhost:8080 / myProjectName / dwr /将返回404(找不到页面)。

  • Even when you disable debug-mode, it is still possible to run your functions. 即使禁用调试模式,仍然可以运行功能。 That is why you can restrict which classes and which functions of these classes are available from the web in your drw.xml . 这就是为什么您可以在drw.xml从Web上限制哪些类以及这些类的哪些功能。 For details on dwr.xml check the DWR documentation 有关dwr.xml详细信息,请参阅DWR文档。

  • Keep in mind that each and every function that is publicly available should check that the user is permitted to run it. 请记住,每个可用的公共功能都应检查是否允许用户运行它。 I usually create a function like this: 我通常创建一个这样的函数: 

     private void getLoggedInUser(){ WebContext ctx = WebContextFactory.get(); HttpSession session=ctx.getSession(); if(session.getAttribute("loggedIn")!=null && (Boolean)session.getAttribute("loggedIn")==true){ if(session.getAttribute("user")!=null){ try{ return (Person)session.getAttribute("user"); }catch (ClassCastException ex){ return null; } }else{ return null; } }else{ return null; } }

then at the beginning of every function that is available through the web, i do something like 然后在通过网络提供的每个功能的开头,我都会做类似的事情 

    Person user=getLoggedInUser();
    if(user)==null return null;

  • Always keep in mind that javascript can be manipulated by the visitor of your site. 切记,您的网站访问者可以操纵javascript。 If you publish a function through dwr, assume that it can be called by anybody. 如果通过dwr发布函数,请假定任何人都可以调用它。 I can't stress this enough: in every function that is published through dwr, first make sure that the user is allowed to run it, then check that any arguments the user may have passed are valid. 我对此不太强调:在通过dwr发布的每个函数中,首先要确保允许用户运行它,然后检查用户可能传递的任何参数是否有效。

  • Update: It is also possible to restrict access to a function using filters . 更新:也可以使用过滤器限制对功能的访问。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何限制用户在Java应用程序中编辑URL数据并访问URL - How to restrict user from editing the URL data in a java application and access the URL 从java访问wsdl的简便方法 - Easy way to access wsdl from java DWR和其他可能的工具,用于构建Java应用程序级Ajax框架 - DWR and other possible tools for build java application level Ajax framework 如何使用Java和DWR更新Ajax网络聊天中的用户列表 - how to update user list in a ajax web chat using java and dwr 在DWR中上传进度条? - Upload progress bar in DWR? Java keytool 从 url/port 添加服务器证书的简单方法 - Java keytool easy way to add server cert from url/port 如何使用DWR将对象从JavaScript传递到Java? - How can I pass an Object from javascript to java with DWR? 通过在服务器上使用java程序限制来自Java客户端的邮件访问 - Restrict postges access from java clients by using java program on a server 将Struts 1与dwr进度栏一起使用 - Using struts 1 with dwr progress bar 有关AJAX库(如DWR)的问题 - Question on AJAX Library (like DWR)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM