The code
If we don’t want to give unwanted access to the url’s that we only need to access via ajax, we can simply do it using a Filter. Here is the code:
package net.hasnath.web.filters;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
*
* @author Md. Shamim Hasnath
*
*/
// @WebFilter("/ajax/*")
public class AjaxFilter implements Filter {
public AjaxFilter() {
}
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if(!isAjaxRequest((HttpServletRequest)request)){
// The request doesn't comes through ajax
// Take some action here
// You can redirect to an error page, throw an exception, or just simply keep this block empty.
}else
chain.doFilter(request, response);
}
public void init(FilterConfig fConfig) throws ServletException {
}
public static boolean isAjaxRequest(HttpServletRequest request) {
return "xmlhttprequest".equals(request.getHeader("X-Requested-With").toLowerCase());
}
}
Filter mapping
Now we need to specify for which controller’s we want to apply this filter. We can make this process simple if we keep “/ajax” in all the controller’s url mapping like: @WebServlet(“/ajax/myController”) or @WebServlet(“/ajax/anotherController”) etc. Then The following filter mapping will work for all ajax requests
<filter> <filter-name>AjaxFilter</filter-name> <filter-class>net.hasnath.web.filters.AjaxFilter</filter-class> </filter> <filter-mapping> <filter-name>AjaxFilter</filter-name> <url-pattern>/ajax/*</url-pattern> </filter-mapping>
Thanks, please not that this will not totally solve the issue. One can tamper sent data and manually set the httpHeader to what ever he wants