• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Allowing only Ajax request

 
Daesung Park
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
HI,

Is it possible to put two constraints on a JSP page
1. Only Ajax request to the page is allowed
2. Only a specific host(s) is allowed as a request sender.

My idea is checking referer header but it can be manipulated.
Do you have any good idea?
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can make use of httpServletRequest.getRemoteAddr(), for the latter. I don't quite get you, what you mean by the first one.
 
Daesung Park
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Adeel, to clarify first one:
Allowing request via XMLHttpRequest, but not allowing request via Browser or html anchor.

I think it is very weird, but I just wondering if there are any tricks.
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have nothing on the top of my head at the moment. No setup to try it myself and come up with an answer. So, what I suggest is, to install Firebug and LiveHttpHeaders plugins in your firefox, and give it a go.

You can look into request/response headers using the latter, and may be able to notice the difference in normal request and XMLHttpRequest. You can use Firebug console to issue requests. Yes, it looks like a bit of a work.
 
Ankit Garg
Sheriff
Posts: 9519
22
Android Google Web Toolkit Hibernate IntelliJ IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Daesung Park wrote:I think it is very weird, but I just wondering if there are any tricks.


Well as you yourself said, this is not directly supported I think. Because for the server an AJAX request is just like a normal request. I don't know of any difference between them. I think you can set a custom header or a request parameter in the AJAX request and recognize it from the server to solve the problem. Apart from that I don't think AJAX requests send back cookies to the server so you can set a cookie at the client side and if the request comes without the cookie, then you know that it is an AJAX request...
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64720
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ankit Garg wrote: Apart from that I don't think AJAX requests send back cookies to the server ...

Incorrect.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34229
341
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Daesung,
Anything on the browser can be manipulated. Someone can create an XMLHttpRequest object on their own page that calls your API. Or they can call it synchronously (making it not AJAX.)

Why do you want to detect AJAX? Maybe if you state what you are trying to accomplish someone can suggest a more feasible approach.
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, that was my original intention, Jeanne. When I said to him to install Firebug and LiveHttpHeaders. So, he can realize whats going on and how we can send the same URL using the Firebug console, or even the browser's address bar. And look at the request headers using LiveHttpHeaders and the response received.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic