Two Laptop Bag*
The moose likes JSP and the fly likes Allowing only Ajax request Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Allowing only Ajax request" Watch "Allowing only Ajax request" New topic
Author

Allowing only Ajax request

Daesung Park
Ranch Hand

Joined: Mar 22, 2007
Posts: 68
HI,

Is it possible to put two constraints on a JSP page
1. Only Ajax request to the page is allowed
2. Only a specific host(s) is allowed as a request sender.

My idea is checking referer header but it can be manipulated.
Do you have any good idea?


Daesung Park

BLOG
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
You can make use of httpServletRequest.getRemoteAddr(), for the latter. I don't quite get you, what you mean by the first one.
Daesung Park
Ranch Hand

Joined: Mar 22, 2007
Posts: 68
Hi Adeel, to clarify first one:
Allowing request via XMLHttpRequest, but not allowing request via Browser or html anchor.

I think it is very weird, but I just wondering if there are any tricks.
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
I have nothing on the top of my head at the moment. No setup to try it myself and come up with an answer. So, what I suggest is, to install Firebug and LiveHttpHeaders plugins in your firefox, and give it a go.

You can look into request/response headers using the latter, and may be able to notice the difference in normal request and XMLHttpRequest. You can use Firebug console to issue requests. Yes, it looks like a bit of a work.
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9291
    
  17

Daesung Park wrote:I think it is very weird, but I just wondering if there are any tricks.


Well as you yourself said, this is not directly supported I think. Because for the server an AJAX request is just like a normal request. I don't know of any difference between them. I think you can set a custom header or a request parameter in the AJAX request and recognize it from the server to solve the problem. Apart from that I don't think AJAX requests send back cookies to the server so you can set a cookie at the client side and if the request comes without the cookie, then you know that it is an AJAX request...


SCJP 6 | SCWCD 5 | Javaranch SCJP FAQ | SCWCD Links
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60794
    
  65

Ankit Garg wrote: Apart from that I don't think AJAX requests send back cookies to the server ...

Incorrect.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30130
    
150

Daesung,
Anything on the browser can be manipulated. Someone can create an XMLHttpRequest object on their own page that calls your API. Or they can call it synchronously (making it not AJAX.)

Why do you want to detect AJAX? Maybe if you state what you are trying to accomplish someone can suggest a more feasible approach.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
Actually, that was my original intention, Jeanne. When I said to him to install Firebug and LiveHttpHeaders. So, he can realize whats going on and how we can send the same URL using the Firebug console, or even the browser's address bar. And look at the request headers using LiveHttpHeaders and the response received.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Allowing only Ajax request
 
Similar Threads
Instant messaging, detect when user goes offline before his session expires
Browser Request vs Tool Request
on lost focus of textbox. + JSP + Server side Validation.
Generating fields dynamically
client could not get update session data