开发者

Best way to protect url so that only defined party can interact each other

问答 作者:

I have jsp/struts application need to upgrade.

Currently we only have 1 websystem(branch) and now I need to upgrade and build another websystem that represent HQ. HQ and branches are different domain. HQ can see 4 branches in the HQ page. We need to login to access HQ and branches. If HQ want to see the details in branch A, we can click on the link such as 

Total attack : <a href="https://www.branch_A.com/xxx/sss/?sss=333">105</a>

My Question is how to protect the URL so that the com开发者_Go百科munication can only be done by HQ and branch_A.com server securely? If we use that URL from another IP it should display unauthorized message.

I have done to control the IP using request.getRemoteAddr() in the branch but it is not enough secured.

Can anyone help me to give ideas on how to protect this url?

We need to login

So you already have a login system. As you're already asking this question, it sounds like a homegrown login system, otherwise you could just have configured the container managed authentication to check certain url-patterns for any logged-in users/roles.

You basically just need to check the logged-in user whenever specific url-patterns are been requested. A Filter is perfectly suitable for this. Let's assume that your homegrown login system puts the logged-in user in the session scope, the Filter then just need to test its presence:

if (((HttpServletRequest) request).getSession().getAttribute("user") != null) {
    chain.doFilter(request, response); // User is present. Just continue request.
} else {
    ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED); // Error 401.
}

Map this Filter in web.xml on an url-pattern matching the requests you'd like to be filtered on the logged-in user. You can even go a step further by adding an user role and if the logged-in user has the right role to visit the URL.

use .htaccess to restrict incoming IP? or config in httpd.conf/virtual host. even firewall?

sth like:

order allow,deny    
deny from 123.45.6.7
deny from 012.34.5.
allow from all

I'd look at using client (and server) SSL certificates. There are guides for doing this under Apache and IIS (or use a search engine for whatever set up you have)

继续阅读:encryptionhttpsservlets

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9