Search code examples
tomcatjasper-reportstomcat8

Setup a nonce on tomcat server

Before I begin, please excuse my illiteracy on security. I have googled a solution, but I do not quite know which or how the solutions can be applied. I have an application that makes a call to my tomcat server (it serves JasperReport reports). The call is something like:

http://example.com/ReportServlet?report_id=123&param1=a&param2=b

If you call this the servlet will return the report. My problem is as long as you keep making this call it will return the report no matter how many times you call it. What I want is to only be able to run the report when you click the 'run report' button inside my application. So if you run that url in a browser it should not work. I was thinking of using some sort of nonce, that when the button is clicked it gets generated and can only be used to call the report once. Right now I have a solution implemented when the button is clicked a random string is generated, inserted into a database, this string is passed in the url as a parameter (http://example.com/ReportServlet?report_id=123&param1=a&param2=b&nonce=somesha256, the servlet reads this parameter and checks with the database, if it is valid it marks the string no longer valid. This isn't a clean solution, I was wondering if tomcat (or even JasperReports) has a solution similar to a nonce?

Solution

  • I was wondering if tomcat (or even JasperReports) has a solution similar to a nonce?

    Tomcat: No.

    JasperReports: I don't know. I don't expect it to have this, because its realm is different from limiting access to something. (Someone correct me if I'm wrong, adding the jasper-reports tag to the question)

    You can implement this easily in your application though, e.g. as a servlet filter, that checks for whatever nonce you decide to go with: If the nonce is present: Check its validity, then continue processing the regular request, otherwise just return with an error message.

    This typically requires you to store valid nonces (potentially for which report and/or parameters its valid as well) in some storage (usually a database) and remove/mark used there upon download or timeout.

    I almost expect the validation side (e.g. ServletFilter) to be trivial, compared to the additional administrative work you'll need to distribute the nonced URLs, but that's not what your question is about.