I want to prevent unauthorized hacking/stealing of a web service that is offered by a servlet that is part of a public web site. How can I make sure that a servlet is ONLY called by visitors to a specific url on the site?
Specifically, I have two servlets that together produce an html page that contains a customized image. The image parameters are set by the interaction between the jsp and servlet1. And those image parameters are then sent from the jsp into servlet2 from within an img tag in the jsp.
I have included relevant sections of code below, but my questions are:
- What can I add to servlet2 doGet() below to make sure that servlet2 doGet() only
runs if it is called from my.jsp by a visitor to my web site? - Can I do anything to the jstl or to other parts of my.jsp below to protect
against unauthorized calls to servlet2? - What else can I do to prevent unauthorized calls to servlet2?
My jsp looks something like:
<form method="post">
<img src="url-pattern-for-servlet2?a=${param.a}&b=${param.b}" />
<input type="text" name="a" value="${empty param.a ? '5' : param.a}" size="15" />
<input type="text" name="b" value="${empty param.b ? '7' : param.b}" size="15" />
<input type="submit" name="submit-button" value="click here" />
</form>
Servlet1 has a doPost() method which handles the form input by checking for errors and then calls jsp.forward(request,response) to return html which has the img tag src attribute populated by values for param.a and param.b
Servlet2 has a doGet() method which looks something like:
String a = req.getParameter("a");
String b = req.getParameter("b");
//some code to create myBufferedImage using a and b
resp.setContentType("image/gif");//256 colors
ImageIO.write(myBufferedImage,"gif",resp.getOutputStream());
The system of two servlets is required so that the resulting image can be embedded within an img tag within an html page. If I just did one servlet, the web form would produce an image only, and the end user would not be able to continue to use the web form to create new custom versions of the image unless they hit the back button each time.