security, jsp, ajax, how to hide the URL or the javascript.js in web container

[John_Woo]

Hi,

We are going to apply AJAX and struts in a web app. One thing we have
to concern is the security issue.

let's say we put the javascript.js in a folder where jsp can load, and
then specify the url in the javascript; but user can view the jsp via
web-browser's view source function, thus he/she can load the javascript
file as well, namely the url inside the javascript is no way to hide.

Can anyone have idea on this?

 

[Chris Uppal]

let's say we put the javascript.js in a folder where jsp can load, and
then specify the url in the javascript; but user can view the jsp via
web-browser's view source function, thus he/she can load the javascript
file as well, namely the url inside the javascript is no way to hide.

Can anyone have idea on this?

Yes. Don't even think about trying to prevent people reading your client-side
JavaScript. It is intrinsically open, and if your application's security
depends to the slightest extent on the users not being able to see, read, or
manipulate that (or anything else sent between browser and server) then your
application is /VERY SERIOUSLY/ broken. (In the sense of "sack the designer
instantly for gross professional negligence").

Of course, you may only want to hide this stuff to stop users being /tempted/
to meddle (even though they wouldn't be able to break anything important if
they did try it). If so then that's perfectly reasonable -- but I can't tell
you how to do it. Indeed, I doubt it if is possible -- if the user has enough
smarts to meddle in the first, then they'll quite probably have configured
their browser to ignore anything you can do to make it difficult.

-- chris