I am starting on web-security and I have to control the cache on the portal, this portal has many urls. I understand that I need to set the header with this:
response.setHeader("Cache-Control","no-cache,no-store,must-revalidate");
response.setHeader("Pragma", "no-cache");
But my question is: The code above is valid for all the urls that I want to controling (You know the cache) or how I set this attribute for all the urls or for a url in specific?.
Assuming you have access to both request and response objects. You can use one of the following methods of HttpRequest object in your control method to set those response parameters
- getPathInfo()
- getRequestURL()
- getRequestURI()
I mean something like this
if(request.getRequestURL().equals("http://someurl"))
{
//do your stuff
}
Put this code in a web filter and map the filter to all the urls where you want to disable caching.
Related
I have been wondering if its possible to anonymize public URL. When user makes a request with this anonymized public URL, let Nginx decode, fetch and serve the URL.
Example
Public URL http://amazon.server.com/location/file.html
Anonymized URL https://amazon.server.com/09872340-932872389-390643289/983724.html
Nginx decodes 09872340-932872389-390643289/983724.html to location/file.html
Added image below for further clarification. Nginx has a reverse logic to decode, whereas Remote Server has the logic to Anonymize URL.
Question
All I need to know is how would Nginx decode anonymized URL? Nginx got anonymized URL request. There has to be a way to decode it.
This is an answer to the updated question:
Question All I need to know is how would Nginx decode anonymized URL? Nginx got anonymized URL request. There has to be a way to decode it.
Nginx would make a request to a script, e.g., either through proxy_pass or fastcgi_pass et al.
The script could decode the URL and provide the actual URL through a Location HTTP Response Header with a 302 Found HTTP Status.
Nginx would then have the decoded URL stored in the $upstream_http_location variable. It could subsequently be used in another proxy_pass et al within a named location #named, to which you could redirect the processing of the original request from the user through error_page 302 = #named.
In all, each user request would be processed twice within nginx, but it'll all be transparent to the user -- they simply receive the resource through the original URL, with all redirects being done internally within nginx.
Define Anonymize for a URL? You can use any of the same methods as URL shortners such as http://bitly.com. But that is not truely anonymous since there is a definite mapping between the shortened URL and the target public url. If you make this per user based there is still a mapping but it is user based.
Looks like what you are suggesting is a variation on the above scheme where instead of sending the user to the target URL via a redirect you want the your server to actually fetch the content and return to the user. You need to be aware of the linked content in the public URL such as style sheets and images and adjust them accordingly. Many of the standard proxies has this kind of functionality built in. Also take a look at
https://github.com/jenssegers/php-proxy
http://search.cpan.org/~book/HTTP-Proxy-0.304/lib/HTTP/Proxy.pm.
If you are planning to build your own these can serve as a base.
I think what you want to do here is somewhat similar to another question I've answered in the past, where for each request by the client, you effectively want to make two requests to two different upstreams under the hood (first one to an upstream capable of decoding the URL, second one to actually fetch said decoded URL), but, of course, only return one result.
https://serverfault.com/questions/202011/nginx-and-2-upstreams/485044#485044
As mentioned on serverfault, you could use error_page to process another request, after the first one is complete. You could then use $upstream_http_ to make the subsequent request based on the original one, for example, using $upstream_http_location.
You might also want to look into X-Accel-Redirect header, introduced in this context at proxy_ignore_headers.
We are implementing a REST based GET implementation which returns back a list of multiple URIs in the response payload back to the client. Later the client uses each one of those URIs and then does a GET on each individual URI to get back a seperate payload. Aren't URIs returned in Location or Content-Location header only after a new Resource is created by POST.
Is the below kind of implementation violating REST standards?
**Initial Call**
GET /AllURIs
HTTP 200 OK
content-type:applicaton/xml
<URIs>
<URI> /somelocation/1 </URI>
<URI> /somelocation/2 </URI>
<URI> /somelocation/3 </URI>
<URI> /somelocation/4 </URI>
<URI> /somelocation/5 </URI>
<URIs>
**Later Call**
GET /somelocation/1
<NewObject>
.........
</NewObject>
URLs can be returned in scenarios other than posting a new resource, like pagination.
If you have multiple related URLs to any resource, the best way IMO is to add them in Link header instead of returning in the response payload. We have used this approach for pagination urls where we sent next, previous, first and last urls as a part of Link Header
Having said that, if the sole purpose of your REST request is to obtain (GET) a list of URLs and that is how you have designed your resources, then it should be okay to use URLs in response body also.
You should use the absolute URL rather than relative ones. You may use the structure like you propose - it is OK, but you may also consider using the Atom links.
I have a legacy Java webapp that does MANY redirects and forwards. I'm trying to find a way in a ServletFilter to differentiate GET requests from those server side redirects and GET requests that come from the client side.
I was hoping to do that by adding an attribute as a flag, to the header before the redirect/forward is sent and then read it in the ServletFilter to route it accordingly.
I tried request.setAttribute("myflag", "yes") before the redirect and request.getAttribute("myflag") in the ServletFilter. All I got were null values.
Can I modify headers server side and read those modifications server side?
Thanks in advance for any tips.
You can use a HttpServletRequestWrapper, there is a comprehensive tutorial on how to do that here:
http://vangjee.wordpress.com/2009/02/25/how-to-modify-request-headers-in-a-j2ee-web-application/
don't use request.setAttribute()/request.getAttribute() , it's scopes on forwards.
you can use Cookies.
If your application sets a request attribute and then forwards the request, the filter (if executed) on the forwarded URI will see the request attribute values.
In contrast, if the application sets a request attribute and then issues a redirect on the response, the browser issues a new HTTP request to the next URI - so previous request object attributes are not persisted and you'll get null values.
You could use this technique to determine which requests were redirects vs forwards.
For example:
Servlet A executed at URI /webapp/a calls request.setAttribute("forward", Boolean.TRUE) and then response.sendRedirect("/webapp/b")
If you have a servlet filter mapped to /webapp/b, in the scenario above, request.getAttribute("forward") will be null.
If, however, /webapp/a asks RequestDispatcher to forward to /webapp/b, then the call to request.getAttribute("forward") within the servlet filter's doFilter() will yield Boolean.TRUE because the request object is the same. It can then deduce that the request was forwarded (or included) and not a redirect OR a direct GET request to /webapp/b.
I need to populate some request with data and redirect back. Is there Spring RedirectAttributes analog for Java EE? I have searched and found 2 solutions, but they also have limitation:
Response.sendRedirect()
In this case I will lost all destroys request attributes. I can use Session attributes but in this case I need some mechanism that can determine when redirect comes in or when there is no redirect and data must be removed.
getRequestDispatcher(String path).forward(request,response)
The problem with path - I need to send redirect to URL not to give something jsp or Servlet by name. Is there any way to "convert" redirect URL to path? For example how I can go forward to
"http://localhost:8080/WebAppname/"?
You can use the sendRedirect and pass the parameters as part of the query string. So what you would be redirecting can be something like below
http://localhost:8080/WebAppname/myRedirect.action?param1=value1¶m2=value2
How can I set session cookies to be Http-Only in servlet API 2.5? The Cookie.setHttpOnly method was added in servlet API 3.0.
i need to do the same thing...
i'm thinking of doing a servlet filter, reading the cookies with request.getCookies(), creating the raw cookies (in a StringBuilder; not the object Cookie), appending HttpOnly and using response.setHeader("Set-Cookie", rawCookies) to put them back.
one thing to be carefull about is taking other properties, as in domain, path, secured; not just name and value
will let you know how it goes...
PS: also thought of taking the header with request.getHeader('COOKIES') and using regex to append HttpOnly, but it seems that the header COOKIES will only give you the name and the value property
I think you'll want to create some utility code that will take a Cookie and a flag for whether or not you want HttpOnly. The utility will create the associated string header for the cookie which you can pass to HttpServletResponse.addHeader("Set-Cookie", cookieHeader).