Restrict Access to DWR(Easy Ajax for Java) from URL bar

Question

I am using DWR, which is commonly known as Easy Ajax for Java .

But it can be accessed directly via URL bar like this

http://localhost:8080/myProjectName/dwr/

from here I can execute each and every Ajax Call, which is considered as a threat to Application Security ,

Is there a way to restrict this ?

Answer 1

I'm not sure what you're trying to accomplish, but here are some suggestions:

• http://localhost:8080/myProjectName/dwr/ is only available if you have set

  <init-param>
      <param-name>debug</param-name>
      <param-value>true</param-value>
  </init-param>
  

in your servlet-declaration in web.xml. Set param-value to false and http://localhost:8080/myProjectName/dwr/ will return a 404 (page not found).

• Even when you disable debug-mode, it is still possible to run your functions. That is why you can restrict which classes and which functions of these classes are available from the web in your drw.xml. For details on dwr.xml check the DWR documentation

• Keep in mind that each and every function that is publicly available should check that the user is permitted to run it. I usually create a function like this:

  private void getLoggedInUser(){
      WebContext ctx = WebContextFactory.get();
      HttpSession session=ctx.getSession();
      if(session.getAttribute("loggedIn")!=null && (Boolean)session.getAttribute("loggedIn")==true){
          if(session.getAttribute("user")!=null){
              try{
                  return (Person)session.getAttribute("user");
              }catch (ClassCastException ex){
                  return null;
              }
          }else{
              return null;
          }
      }else{
          return null;
      }
  }
  

then at the beginning of every function that is available through the web, i do something like

    Person user=getLoggedInUser();
    if(user)==null return null;

• Always keep in mind that javascript can be manipulated by the visitor of your site. If you publish a function through dwr, assume that it can be called by anybody. I can't stress this enough: in every function that is published through dwr, first make sure that the user is allowed to run it, then check that any arguments the user may have passed are valid.

• Update: It is also possible to restrict access to a function using filters.