如何$ P $从其他一些网站被称为pvent我的servlet
好了,所以我有一个简单的servlet是这样的。
Okay so I have a simple servlet like this.
public class SimpleServlet extends HttpServlet {
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
resp.setContentType("text/plain");
resp.getWriter().println(req.getParameter("name"));
}
}
比方说,当我使用这个网址/simple_servlet.do它被触发
Lets say it gets triggered when I use this URL /simple_servlet.do
我如何确保该servlet仅如果是从我的网站叫,而不是从其他网站。换句话说就是有,让我知道了一些请求参数(不能被欺骗)。
How do I ensure that this servlet works only if it is called from my website and not from some other website. In other words is there some request parameter (which cannot be spoofed) that lets me know.
我能想到的唯一的办法,就是你从你的网站(例如一个MD5的JSESSIONID)在服务器上生成一个令牌,并通过该令牌回到你的servlet。只有你的网站知道的道理,其他网站无法窃取cookie(包括JSESSIONID),并从外部计算令牌。这应该是安全的也由 XSRF 攻击。
The only way I can think of, is that you to generate a Token on the server from your website (for example an MD5 on the JSESSIONID), and pass that token back to your servlet. Only your website knows the token, other website cannot steal cookies (including the JSESSIONID) and compute the token from outside. This should be safe also from XSRF attacks.