Home/ Questions/Q 7007085
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T21:33:42+00:00

I have a jsp containing a jquery post to a servlet on my tomcat

  • 0

I have a jsp containing a jquery post to a servlet on my tomcat server which creates a HttpServletRequest. I would like to ensure that only my jsp’s calls to my servlet are processed and any requests originating from a source other than my jsp are ignored.
Is there a guaranteed way to see what is the referring page calling my server? I have read that using request.getHeader("referer") can be spoofed so I know I can’t rely on that.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Generate an unique string as token, store it in the session and embed it as a hidden input value in the POST form of the JSP and finally check in the servlet if the token is valid.

    Basically:

    On session creation (in HttpSessionListener#sessionCreated(), for example):

    Set<String> tokens = new HashSet<String>();
event.getSession().setAttribute("tokens", tokens);

    On preprocessing of the JSP request (in HttpServlet#doGet(), for example):

    String token = UUID.randomUUID().toString();
Set<String> tokens = (Set<String>) request.getSession().getAttribute("tokens");
tokens.add(token);
request.setAttribute("token", token);

    On processing the JSP itself:

    <input type="hidden" name="token" value="${token}" />

    On postprocessing of the form submit (in HttpServlet#doPost(), for example):

    String token = request.getParameter("token");
Set<String> tokens = (Set<String>) request.getSession().getAttribute("tokens");

if (!tokens.remove(token)) {
    response.sendError(HttpServletResponse.SC_BAD_REQUEST);
    return;
}

// ...

    I of course assume that your jQuery.post() functions are written in an unobtrusive way as in $.post(form.action, form.serialize(), callback) so that it simulates exactly the normal synchronous request (in other words, your forms works perfectly fine with JS disabled).

    • 0