Securing DWR

DWR is a great Ajax framework. One of the things that makes it easy is its web interface for generating JS interface files. However, that’s not something you probably want to expose to end-users. For one thing, it gives you an easy GUI interface to call any method you have with any parameters they like – a great tool for hacking!

Now, ultimately your server-side code should ensure security. But it’s also good to hide this DWR published interface. Here are some security settings you can add to your web.xml file to hide them, while still allowing DWR calls to go through:

<security-constraint>
<display-name>Protect DWR</display-name>
<web-resource-collection>
<web-resource-name>Test</web-resource-name>
<url-pattern>/dwr/test/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Index</web-resource-name>
<url-pattern>/dwr/index.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Forbidden</description>
<role-name>Forbidden</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>

What this code does is put a security wrapper on /dwr/index.html and the /dwr/test directory. It’s requiring a role called “Forbidden,” and since you don’t define any users with that role, it effectively prevents anyone from getting to it. However, /dwr/call/ is kept free, so true DWR calls can make it through.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: