How to make a servlet to only handle requests from a particular website?

Question

I have a servlet that handles some request and sends out a response accordingly.

So if I need to test my servlet is working well, I would simply type the url (below) directly in the browser and check the response.

http://localhost:8080/jnlpGenerator/create.htm?parameter1=someValue&parameter2=otherValue

This is fine during testing.

However, I would like to stop anyone from sending through this url directly from the browser in the production environment. Is this possible? This url is only meant to be used within my web-based project. So when someone clicks on a certain button, it will post the above url to access the servlet.

How can I achieve this?

Thanks

Answer 1

You cannot prevent URL requests from being made - you'd basically have to change the way the internet works to be able to do that. You can, however, prevent these requests from being processed by your servlet, by disallowing access for single or multiple IP addresses or making sure the user is authorized.

In order to prevent unauthorized access, both the authorization filter and `getRemoteAddress(), as mentioned elsewhere, can be useful, but you'll have to realize some basic things first:

• You will have to have some way of deciding, which calls are authorized, and which aren't.
• You cannot simply block IP addresses, unless you know exactly which ones are going to connect to your web site.
• You cannot just check referrers or prevent access via GET, because anyone capable of tracing TCP/IP messages can spoof entire HTTP requests easily.

Having said that, if you only have a simple web form, or some functionality that is equally trivial, you might well use a captcha or some other randomized token to prevent misuse: Your server will create a two-part randomized item each time the form is called, where one part is shown in the browser, such as an image or character sequence, and the send request will only be processed if it contains the corresponding second part.

If, however, your project is more complex, or authorization is based on user identity, you will have to look more deeply into security concepts, and implement session handling, authentication, encryption, etc.etc. There are countless ways of doing this - start by getting informed about web application security in general, then check out Java security frameworks.

Answer 2

Possible ways:

• Check the Referer http header of request to see if it's from certain source pages.
• Your servlet handle only POST method, ignore GET method (which is sent directly if type URL in browser)
• Use captcha/random-code/token in source pages and validate it in your servlet

But, you should not rely on the previous 2 ways, because many clients (wget/curl/flashget/...) can fake Referer header or change their request method like the following:

wget --referer http://srv/app/src-page --post-data xxx http://srv/app/servlet

Answer 3

Consider writing an authorisation Filter.

However, there is no way to find out that the request is a result of a manual browser request or a button press. You can possibly write some JavaScript function to create a difference.