Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Segregation of POST and GET request in Servlet  RSS feed

 
dura cell
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We have a big application which is implemented in basic servlet. WE have Get and Post request in servlet. I want to provide them security if any malicious attack will happen on the form submit method. I want to make it secure. In detail, suppose if any user want to submit form/ any ajax request from my application and if he/she changes the method of submission from POST to GET then how I will recognize this?

I know that HTTPServletRequest object have GetMethod() but how I will detect that it is not changed by Tamper data/Fidler/Watir.Please suggest me any other way. one more way, I googled is by using GetQueryString() method but lot of the places I have query paramater in my POST request.

Please let me know if you need any more details on the same.

Thanks.
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All the discrimination between POST and GET is done for you behind the scenes. The class HttpServlet has a method doPost() that is called when a POST is submitted and a doGet() that is called when a GET is submitted.
 
dura cell
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for reply Richard.

I am framing my question "how can I detect that a client is sending me an unwarranted POST request?" I have to display some error on GUI.
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
dura cell wrote:Thanks for reply Richard.

I am framing my question "how can I detect that a client is sending me an unwarranted POST request?" I have to display some error on GUI.


I must be missing something ! Any POST request whether warranted or unwarranted will invoke the servlet doPost() method so in that method you decide whether or not the post was "warranted" . You have to provide the logic inside the doPost() method and if unwarranted forward the request to some error page.
 
dura cell
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What should be the logic? Any generic or specific way to handle this?

Suppose I am the end user of the application I tracked the request through tamper data and changed method from POST to GET. How would I track at server side that it got changed from client side and my doPost() method should not respond it. Any generic way to track this?
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The alternative would be that critical data values are not sent to the cliect, but kept in a session on the server where they can't be altered. Or they can be encrypted before being sent on a round-trip to the client.
 
dura cell
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for reply.

But its not just data. I want to check with Method type of submission (POST or GET)? User is changing the Method type from POST to GET.
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
dura cell wrote:Thanks for reply.

But its not just data. I want to check with Method type of submission (POST or GET)? User is changing the Method type from POST to GET.


I must still be missing something! If the doGet() method is invoked then the method type was a GET! If the doPost() method is invoked the method type was a POST! If a GET is expected and the user changes that to a POST then it will enter the doPost() method and not the doGet() method so you know that a change has been made. If a POST is expected and the user changes that to a GET then it will enter the doGet() method and not the doPost() method so you know that a change has been made.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, since GET and POST should not be used interchangeably, that should be noticeable right away, no? Then you can reject the request like Richard said.
 
Rahul B.uk
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I guess you need to make a list of request that you are expecting as GET and POST and before serving these request check the method type for that request and the actual one you received in request. request.getMethod() will return the method type.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!