users@jersey.java.net

RE: [Jersey] Web applications using XMLHttpRequest and JAX-RS REST/JSON Web Services

From: Robertson, Jeff <jeff.robertson_at_digitalinsight.com>
Date: Mon, 10 Nov 2008 17:07:49 -0500

It's occured to me that dealing with CSRF in JAX-RS (and elsewhere) would be simpler if we had a little bit more of that "hypermedia as the engine of application state".
 
In HTML, some part of the framework or other infrastructure (such as a WAF) can insert a nonce into every form, transparently to the application code.
 
<form action="foo" method="POST">
   <input type="text" name="bar">
   <input type="submit" >
   <!-- added by framework -->
   <input type="hidden" name="__nonce" value="jhgajhdgu2q324234ghjg22">
</form>
 
The developer of the "foo" resource doesn't have to think about it any more than he has to think about something like basic authentication.
 
If our webservices used of form tags or the equivalent in order to give hints to the client about what actions are possible, then we can get this kind of protection for free.
 
It's funny.. I've been a doubter about the idea that RESTful web services needed to be "constrained" to hypertext; obviously hypertext is good for the human web, but for the programmable web it seems kind of optional; something you'd use just to prevent Roy Fielding from scolding you on his blog. Now a concrete benefit has formed clearly in my mind. Wow.
 
________________________________

From: Craig.McClanahan_at_Sun.COM [mailto:Craig.McClanahan_at_Sun.COM]
Sent: Monday, November 10, 2008 4:48 PM
To: users_at_jersey.dev.java.net
Subject: Re: [Jersey] Web applications using XMLHttpRequest and JAX-RS REST/JSON Web Services



        Eduardo Pérez Ureta wrote:

                Like Josh:
                http://joshdevins.blogspot.com/2008/10/jax-rs-woes-continue.html
                I would like to send a text/plain response with a message when I
                output a 401 Unauthorized response. Is there a way to do that with
                JAX-RS ?
                  

        Set up your resource method to return Response, and then something like this should work:
        
            @GET
            @Path("{id}")
            public Response findCustomer(@PathParam("{id}") String id) {
                if (!userIsAuthorized(...)) {
                    return Response.status(401).type("text/plain").entity("This is my error message").build();
                }
                Customer customer = ...
                return Response.ok(customer).build();
            }
        
        

                Craig McClanahan wrote:
                  

                        Are there particular aspects of CSRF that you are concerned about?
                            

                No, I just wanted to know if there is a defacto standard way to do
                that using JAX-RS
                
                  

        I don't know of anything that specifically relates to JAX-RS in this regard.
        
        Craig
        

                Eduardo
                
                ---------------------------------------------------------------------
                To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
                For additional commands, e-mail: users-help_at_jersey.dev.java.net
                
                  
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.