stackoom
  简体   繁体   中英

Restrict Access to DWR(Easy Ajax for Java) from URL bar

 原文  2015-03-10 13:26:30       java/ ajax/ dwr

Question

I am using DWR , which is commonly known as Easy Ajax for Java .

But it can be accessed directly via URL bar like this 

http://localhost:8080/myProjectName/dwr/

from here I can execute each and every Ajax Call , which is considered as a threat to Application Security ,

Is there a way to restrict this ?

1 answers

solution1
 1 ACCPTED  2015-04-23 20:05:32

I'm not sure what you're trying to accomplish, but here are some suggestions:

in your servlet-declaration in web.xml . Set param-value to false and http://localhost:8080/myProjectName/dwr/ will return a 404 (page not found).

  • Even when you disable debug-mode, it is still possible to run your functions. That is why you can restrict which classes and which functions of these classes are available from the web in your drw.xml . For details on dwr.xml check the DWR documentation

  • Keep in mind that each and every function that is publicly available should check that the user is permitted to run it. I usually create a function like this: 

     private void getLoggedInUser(){ WebContext ctx = WebContextFactory.get(); HttpSession session=ctx.getSession(); if(session.getAttribute("loggedIn")!=null && (Boolean)session.getAttribute("loggedIn")==true){ if(session.getAttribute("user")!=null){ try{ return (Person)session.getAttribute("user"); }catch (ClassCastException ex){ return null; } }else{ return null; } }else{ return null; } }

then at the beginning of every function that is available through the web, i do something like 

    Person user=getLoggedInUser();
    if(user)==null return null;

  • Always keep in mind that javascript can be manipulated by the visitor of your site. If you publish a function through dwr, assume that it can be called by anybody. I can't stress this enough: in every function that is published through dwr, first make sure that the user is allowed to run it, then check that any arguments the user may have passed are valid.

  • Update: It is also possible to restrict access to a function using filters .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to restrict user from editing the URL data in a java application and access the URL Easy way to access wsdl from java DWR and other possible tools for build java application level Ajax framework how to update user list in a ajax web chat using java and dwr Upload progress bar in DWR? Java keytool easy way to add server cert from url/port How can I pass an Object from javascript to java with DWR? Restrict postges access from java clients by using java program on a server Using struts 1 with dwr progress bar Question on AJAX Library (like DWR)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM