1

I used to call some of my Servlets via JS/jQuery when I click on some button of my web as it follows:

btnComment.addEventListener("click", sending);
function sending() {
   btnComment.disabled = true;
   $.post('/Project/AddCommentServlet', {
      id_pic: idPic.value,
      text: textComment.value
   });
}

So I call the Servlet "AddCommentServlet" using POST, sending 2 parameters.

I've disabled the access by GET to that Servlet (redirecting to and error page if it happens), but... is this a secure way of working? Could it be done in another way?

I don't want that anybody puts could access to the servlet via a bot or something similar if this person knows the name of the servlet and the parameters used. Someone could code a program that attacks it, knowing the endpoints and parameters, isn't it?

Thanks!

Ommadawn
  • 2,450
  • 3
  • 24
  • 48
  • 1
    Well, there is no difference between calling a servlet from JS and submitting data with a form: Anyone can see the servlet your page points to, and the parameters passed, so all you need to do is to secure your servlet and do all needed checks to avoid someone breaking your application (i.e. prevent SQL injection, rename uploaded files to OS-safe and application-safe filenames, etc). – BackSlash Feb 19 '17 at 09:46
  • 1
    You could secure your endpoints following the OAuth2 protocol but that's something you'd want to use a framework for like [Spring and spring security](https://projects.spring.io/spring-security/). Other options would be to use [sessions](http://stackoverflow.com/questions/3804209/what-are-sessions-how-do-they-work) and captcha. You're asking for a quite a lot here so good luck. BTW: to 'answer' your question, YES calling servlets using JS is safe (and expected actually) IF your endpoints are secure but the process of securing them is not something I want to explain – Rico Kahler Feb 19 '17 at 09:51
  • Thank you very much you both. Your words let me understand it better! cheers! – Ommadawn Mar 02 '17 at 21:12

1 Answers1

1

There is no way to secure a public servlet.

If you are concerned by polite bots you can use robot.txt.

If you are concerned by hostile bots, the only way I now is to put a some kind of recaptcha.

minus
  • 2,646
  • 15
  • 18
  • 1
    A servlet tends to be nothing more than a web service. There are protocols for securing web endpoints. [OAuth2](https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2) is a practical standard – Rico Kahler Feb 19 '17 at 10:08