Thanks for the test case. I've filled issue:
https://glassfish.dev.java.net/issues/show_bug.cgi?id=6843
and will work on it as soon as possible. If you can attach your war file
that will save me time :-)
A+
--Jeanfrancois
glassfish_at_javadesktop.org wrote:
> Here is the servlet filter code
>
> import java.io.IOException;
> import javax.servlet.Filter;
> import javax.servlet.FilterChain;
> import javax.servlet.FilterConfig;
> import javax.servlet.ServletException;
> import javax.servlet.ServletRequest;
> import javax.servlet.ServletResponse;
> import javax.servlet.http.HttpServletRequest;
> import javax.servlet.http.HttpServletResponse;
>
> /**
> *
> * @author Jacques Belissent
> */
> public class RequireRefererFilter implements Filter {
>
> @Override
> public void init(FilterConfig arg0) throws ServletException {
> }
>
> @Override
> public void destroy() {
> }
>
> @Override
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain)
> throws IOException, ServletException {
>
> HttpServletRequest httpRequest = (HttpServletRequest) request;
> HttpServletResponse httpResponse = (HttpServletResponse)response;
>
> String referer = httpRequest.getHeader("Referer");
> if (referer == null) {
> httpResponse.setStatus(401);
> } else {
> chain.doFilter(request, response);
> }
> }
> }
>
> Add this to an application that makes an xhr call from a web page. Something like this will do:
>
> <html>
> <head>
> <title></title>
> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
> </head>
> <body>
> <script>
> var URL = "http://localhost:8080";
>
> // Get the XHR object
> var request = new XMLHttpRequest();
> request.onreadystatechange = function(){
> if (request.readyState == 4) {
> var success = ((!request.status) || (request.status >= 200 && request.status < 300));
> if (success) {
> alert("success");
> } else {
> alert("fail with status: " + request.status);
> }
> }
> }
>
> request.open("POST", URL, true);
> request.setRequestHeader("Content-type", "application/x-www-form-urlencoded" + "; charset=" + "UTF-8");
> request.send("someparam=somevalue");
>
> </script>
> </body>
> </html>
> [Message sent by forum member 'jbelis' (jbelis)]
>
> http://forums.java.net/jive/thread.jspa?messageID=317950
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>