开发者

Best way to protect url so that only defined party can interact each other

开发者 https://www.devze.com 2022-12-17 13:58 出处:网络
I have jsp/struts application need to upgrade. Currently we only have 1 websystem(branch) and now I need to upgrade and build another websystem that represent HQ. HQ and branches are different domain

I have jsp/struts application need to upgrade.

Currently we only have 1 websystem(branch) and now I need to upgrade and build another websystem that represent HQ. HQ and branches are different domain. HQ can see 4 branches in the HQ page. We need to login to access HQ and branches. If HQ want to see the details in branch A, we can click on the link such as

Total attack : <a href="https://www.branch_A.com/xxx/sss/?sss=333">105</a>

My Question is how to protect the URL so that the com开发者_Go百科munication can only be done by HQ and branch_A.com server securely? If we use that URL from another IP it should display unauthorized message.

I have done to control the IP using request.getRemoteAddr() in the branch but it is not enough secured.

Can anyone help me to give ideas on how to protect this url?


We need to login

So you already have a login system. As you're already asking this question, it sounds like a homegrown login system, otherwise you could just have configured the container managed authentication to check certain url-patterns for any logged-in users/roles.

You basically just need to check the logged-in user whenever specific url-patterns are been requested. A Filter is perfectly suitable for this. Let's assume that your homegrown login system puts the logged-in user in the session scope, the Filter then just need to test its presence:

if (((HttpServletRequest) request).getSession().getAttribute("user") != null) {
    chain.doFilter(request, response); // User is present. Just continue request.
} else {
    ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED); // Error 401.
}

Map this Filter in web.xml on an url-pattern matching the requests you'd like to be filtered on the logged-in user. You can even go a step further by adding an user role and if the logged-in user has the right role to visit the URL.


use .htaccess to restrict incoming IP? or config in httpd.conf/virtual host. even firewall?

sth like:

order allow,deny    
deny from 123.45.6.7
deny from 012.34.5.
allow from all


I'd look at using client (and server) SSL certificates. There are guides for doing this under Apache and IIS (or use a search engine for whatever set up you have)

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号