Wednesday, August 2nd, 2006
1. Token Based Restriction – Limit a client access to server-side resources by using tokens. Resources may include URLs, databases, web services, or domain objects which that service may access to complete a request. Tokens may be configured in a file or by using your server’s built-in security features.
2. Unique Hash / Session Based Restriction – When generating a page that accesses the target service you can create a unique hash or key for each client and restrict access based on the existence of the hash. The session management facilities of the servlet API may easily used to track whether or not a conversation has been established.
While we confess a fondess for using client-side hacks to overcome cross-site scripting limitations, Greg’s point in the blog entry about the usefulness of using these mechanisms not only to defeat cross-site scripting but also to track (and limit) access to your own public services is well-taken.
Posted by Ben Galbraith at 11:33 pm