[Logo]
Forums Register Login
Segregation of POST and GET request in Servlet
We have a big application which is implemented in basic servlet. WE have Get and Post request in servlet. I want to provide them security if any malicious attack will happen on the form submit method. I want to make it secure. In detail, suppose if any user want to submit form/ any ajax request from my application and if he/she changes the method of submission from POST to GET then how I will recognize this?

I know that HTTPServletRequest object have GetMethod() but how I will detect that it is not changed by Tamper data/Fidler/Watir.Please suggest me any other way. one more way, I googled is by using GetQueryString() method but lot of the places I have query paramater in my POST request.

Please let me know if you need any more details on the same.

Thanks.
All the discrimination between POST and GET is done for you behind the scenes. The class HttpServlet has a method doPost() that is called when a POST is submitted and a doGet() that is called when a GET is submitted.
Thanks for reply Richard.

I am framing my question "how can I detect that a client is sending me an unwarranted POST request?" I have to display some error on GUI.
 
dura cell wrote:Thanks for reply Richard.

I am framing my question "how can I detect that a client is sending me an unwarranted POST request?" I have to display some error on GUI.


I must be missing something ! Any POST request whether warranted or unwarranted will invoke the servlet doPost() method so in that method you decide whether or not the post was "warranted" . You have to provide the logic inside the doPost() method and if unwarranted forward the request to some error page.
What should be the logic? Any generic or specific way to handle this?

Suppose I am the end user of the application I tracked the request through tamper data and changed method from POST to GET. How would I track at server side that it got changed from client side and my doPost() method should not respond it. Any generic way to track this?
The alternative would be that critical data values are not sent to the cliect, but kept in a session on the server where they can't be altered. Or they can be encrypted before being sent on a round-trip to the client.
Thanks for reply.

But its not just data. I want to check with Method type of submission (POST or GET)? User is changing the Method type from POST to GET.
 
dura cell wrote:Thanks for reply.

But its not just data. I want to check with Method type of submission (POST or GET)? User is changing the Method type from POST to GET.


I must still be missing something! If the doGet() method is invoked then the method type was a GET! If the doPost() method is invoked the method type was a POST! If a GET is expected and the user changes that to a POST then it will enter the doPost() method and not the doGet() method so you know that a change has been made. If a POST is expected and the user changes that to a GET then it will enter the doGet() method and not the doPost() method so you know that a change has been made.
Well, since GET and POST should not be used interchangeably, that should be noticeable right away, no? Then you can reject the request like Richard said.
I guess you need to make a list of request that you are expecting as GET and POST and before serving these request check the method type for that request and the actual one you received in request. request.getMethod() will return the method type.
Wink, wink, nudge, nudge, say no more ... https://richsoil.com/cards



All times above are in ranch (not your local) time.
The current ranch time is
Dec 17, 2017 03:24:10.