java qr code generator example Restricting access to web data in Java

Generator QR Code in Java Restricting access to web data

7.4.2 Restricting access to web data
QR-Code Creator In Java
Using Barcode drawer for Java Control to generate, create Denso QR Bar Code image in Java applications.
www.OnBarcode.com
QR Reader In Java
Using Barcode scanner for Java Control to read, scan read, scan image in Java applications.
www.OnBarcode.com
In an ideal world, we would like to allow access to the dynamic data served from our app to the Ajax client (and possibly other authorized parties) and prevent anybody else from getting in. With some rich-client technologies, we would have the opportunity of using custom network protocols, but the Ajax application is limited to communicating over HTTP. Secure HTTP can keep the data in individual transactions away from prying eyes, as we discussed earlier, but it can t be used to determine who gets to call a particular URL.
Printing Code 128 Code Set C In Java
Using Barcode creation for Java Control to generate, create Code 128 image in Java applications.
www.OnBarcode.com
QR Code JIS X 0510 Generator In Java
Using Barcode creator for Java Control to generate, create QR Code image in Java applications.
www.OnBarcode.com
Policing access to Ajax data streams
Encoding Barcode In Java
Using Barcode generator for Java Control to generate, create Barcode image in Java applications.
www.OnBarcode.com
Barcode Encoder In Java
Using Barcode creator for Java Control to generate, create Barcode image in Java applications.
www.OnBarcode.com
Fortunately, HTTP is quite a rich protocol, and the XMLHttpRequest object gives us a good level of fine-grained control over it. When a request arrives on the server, we have access to a range of HTTP headers from which we can infer things about the origin of the request. Filtering HTTP requests For the sake of providing concrete examples, we ll use Java code here. Other server-side technologies offer similar ways to implement the techniques that we are describing, too. In the Java web application specification, we can define objects of type javax.servlet.Filter, which intercept specific requests before they are processed at their destination. Subclasses of Filter override the doFilter() method and may inspect the HTTP request before deciding whether to let it through or forward it on to a different destination. Listing 7.5 shows the code for a simple security filter that will inspect a request and then either let it through or forward it to an error page.
Drawing GS1 128 In Java
Using Barcode generator for Java Control to generate, create EAN128 image in Java applications.
www.OnBarcode.com
Drawing Code11 In Java
Using Barcode drawer for Java Control to generate, create USD8 image in Java applications.
www.OnBarcode.com
Listing 7.5 A generic Java security filter
Decode Denso QR Bar Code In Java
Using Barcode decoder for Java Control to read, scan read, scan image in Java applications.
www.OnBarcode.com
Encode Denso QR Bar Code In Objective-C
Using Barcode creator for iPhone Control to generate, create QR Code image in iPhone applications.
www.OnBarcode.com
public abstract class GenericSecurityFilter implements Filter { protected String rejectUrl=null; public void init(FilterConfig config) throws ServletException { rejectUrl=config.getInitParameter("rejectUrl"); Configure reject URL }
Barcode Decoder In .NET
Using Barcode decoder for VS .NET Control to read, scan read, scan image in VS .NET applications.
www.OnBarcode.com
PDF-417 2d Barcode Creation In None
Using Barcode encoder for Online Control to generate, create PDF-417 2d barcode image in Online applications.
www.OnBarcode.com
public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (isValidRequest(request)){ Check request validity chain.doFilter(request, response); }else if (rejectUrl!=null){ Forward to reject URL RequestDispatcher dispatcher =request.getRequestDispatcher(rejectUrl); dispatcher.forward(request, response); } }
Painting DataMatrix In Java
Using Barcode printer for BIRT Control to generate, create Data Matrix image in BIRT applications.
www.OnBarcode.com
Barcode Generator In .NET
Using Barcode drawer for Visual Studio .NET Control to generate, create Barcode image in .NET applications.
www.OnBarcode.com
protected abstract boolean isValidRequest(ServletRequest request); public void destroy(){} }
Code-128 Generator In Java
Using Barcode encoder for Android Control to generate, create Code 128 Code Set A image in Android applications.
www.OnBarcode.com
Barcode Creator In Visual Studio .NET
Using Barcode drawer for .NET Control to generate, create Barcode image in VS .NET applications.
www.OnBarcode.com
Security and Ajax
USS-128 Recognizer In VB.NET
Using Barcode recognizer for VS .NET Control to read, scan read, scan image in .NET applications.
www.OnBarcode.com
QR Code Decoder In Java
Using Barcode reader for Java Control to read, scan read, scan image in Java applications.
www.OnBarcode.com
The filter is an abstract class, defining an abstract method isValidRequest() that inspects the incoming request object before passing a verdict. If the method fails c, it is forwarded to a different URL d, which is defined in the configuration file for the web application b, which we ll look at shortly. This filter provides us with considerable flexibility in defining a concrete subclass. We can adapt it to more than one security strategy. Using the HTTP session One common approach is to create a token in the user s HTTP session when she logs in and check for the existence of that object in session during subsequent requests before performing any other actions. Listing 7.6 demonstrates a simple filter of this type.
Code39 Creation In Java
Using Barcode encoder for Eclipse BIRT Control to generate, create Code 3/9 image in Eclipse BIRT applications.
www.OnBarcode.com
UPC-A Supplement 5 Maker In Java
Using Barcode encoder for Android Control to generate, create UPC-A Supplement 2 image in Android applications.
www.OnBarcode.com
Listing 7.6 Session token-checking filter
public class SessionTokenSecurityFilter extends GenericSecurityFilter { protected boolean isValidRequest(ServletRequest request) { boolean valid=false; HttpSession session=request.getSession(); if (session!=null){ UserToken token=(Token) session.getAttribute('userToken'); if (token!=null){ valid=true; } } return valid; } }
This technique is commonly used in conventional web applications, typically forwarding to a login screen if validation fails. In an Ajax application, we are free to return a much simpler response in XML, JSON, or plain text, which the client could respond to by prompting the user to log in again. In chapter 11, we discuss a fuller implementation of such a login screen for our Ajax Portal application. Using encrypted HTTP headers Another common strategy for validating a request is to add an additional header to the HTTP request and check for its presence in the filter. Listing 7.7 shows a second example filter that looks for a specific header and checks the encrypted value against a known key held on the server.
Policing access to Ajax data streams
Listing 7.7 HTTP header-checking filter
public class SecretHeaderSecurityFilter extends GenericSecurityFilter { private String headerName=null; public void init(FilterConfig config) throws ServletException { super.init(config); Configure header headerName=config.getInitParameter("headerName"); name } protected boolean isValidRequest(ServletRequest request) { boolean valid=true; HttpServletRequest hrequest=(HttpServletRequest)request; if (headerName!=null){ valid=false; String headerVal=hrequest.getHeader(headerName); Get header value Encrypter crypt=EncryptUtils.retrieve(hrequest); if (crypt!=null){ valid=crypt.compare(headerVal); Compare header value } } return valid; }
When testing the request, this filter reads a specific header name b and compares it with an encrypted value stored in the server session c. This value is transient and may be generated randomly for each particular session in order to make the system harder to crack. The Encrypter class uses the Apache Commons Codec classes and javax.security.MessageDigest classes to generate a hexencoded MD5 value. The full class listing is available in the downloadable code that accompanies this book. The principle of deriving a hex-encoded MD5 in Java is shown here:
MessageDigest digest=MessageDigest.getInstance("MD5"); byte[] data=privKey.getBytes(); digest.update(data); byte[] raw=digest.digest(pubKey.getBytes()); byte[] b64=Base64.encodeBase64(raw); return new String(b64);
where privKey and pubKey are the private and public keys, respectively. To configure this filter to review all URLs under the path /Ajax/data, we can add the following filter definition to the web.xml configuration file for our web application:
Copyright © OnBarcode.com . All rights reserved.