Wednesday, August 2nd, 2006

Securing Access to Ajax Proxy Servers

Category: Java, Security

A little over a week ago, we linked to a blog by Sun Ajax guru Greg Murray (creator of jMaki) discussing his small Ajax server-side proxy framework for Java, called (creatively enough) XmlHttpProxy.

Greg’s back with a new blog discussing five different options for securing server-side Ajax proxy servers:

1. Token Based Restriction – Limit a client access to server-side resources by using tokens. Resources may include URLs, databases, web services, or domain objects which that service may access to complete a request. Tokens may be configured in a file or by using your server’s built-in security features.
2. Unique Hash / Session Based Restriction – When generating a page that accesses the target service you can create a unique hash or key for each client and restrict access based on the existence of the hash. The session management facilities of the servlet API may easily used to track whether or not a conversation has been established.
3. URL Based Restriction – Based on the URL in which the JavaScript is executed you can restrict access to a service.
4. Application Key Based Restriction – An application key is a flexible means of providing access to your service to a set of JavaScript clients.
5. Content-Type / Authentication Based Restriction – You can restrict JavaScript clients outside of the domain from directly accessing your service by using XML possibly in combination with basic or digest authentication.

While we confess a fondess for using client-side hacks to overcome cross-site scripting limitations, Greg’s point in the blog entry about the usefulness of using these mechanisms not only to defeat cross-site scripting but also to track (and limit) access to your own public services is well-taken.

Posted by Ben Galbraith at 11:33 pm

3 rating from 7 votes


Comments feed TrackBack URI

i live in iran.
i need a proxy site for open the closed pages.

Comment by behnam0000 — November 8, 2006

Grate article, thank you for sharing this information it’s really helpful am already running a couple of proxying sites and am thinking of implementing AJAX as well, grate info thanks again.

Comment by SEO Expert Dubai — October 21, 2007

Leave a comment

You must be logged in to post a comment.