security, jsp, ajax, how to hide the URL or the javascript.js in web container

Discussion in 'Java' started by John_Woo, Nov 7, 2006.

  1. John_Woo

    John_Woo Guest

    Hi,

    We are going to apply AJAX and struts in a web app. One thing we have
    to concern is the security issue.

    let's say we put the javascript.js in a folder where jsp can load, and
    then specify the url in the javascript; but user can view the jsp via
    web-browser's view source function, thus he/she can load the javascript
    file as well, namely the url inside the javascript is no way to hide.

    Can anyone have idea on this?
     
    John_Woo, Nov 7, 2006
    #1
    1. Advertisements

  2. John_Woo

    Chris Uppal Guest

    Yes. Don't even think about trying to prevent people reading your client-side
    JavaScript. It is intrinsically open, and if your application's security
    depends to the slightest extent on the users not being able to see, read, or
    manipulate that (or anything else sent between browser and server) then your
    application is /VERY SERIOUSLY/ broken. (In the sense of "sack the designer
    instantly for gross professional negligence").

    Of course, you may only want to hide this stuff to stop users being /tempted/
    to meddle (even though they wouldn't be able to break anything important if
    they did try it). If so then that's perfectly reasonable -- but I can't tell
    you how to do it. Indeed, I doubt it if is possible -- if the user has enough
    smarts to meddle in the first, then they'll quite probably have configured
    their browser to ignore anything you can do to make it difficult.

    -- chris
     
    Chris Uppal, Nov 7, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.