Skip to main content

Dynamic Server-Side Parameters in XmlHttpProxy?

2 replies [Last post]
woodjr
Offline
Joined: 2007-01-30
Points: 0

Is there any way to have jMaki's XmlHttpProxy add dynamic parameter values on the server-side? In other words, it would be nice if I could define a service like this in xhp.json:

{
"id": "my_service",
"url": "http://my.url/service",
"apikey": "my_api_key",
"defaultURLParams": "remoteUser=$(REMOTE_USER)"
}

...and have XmlHttpProxy expand the "$(REMOTE_USER)" bit into the current HttpServletRequest.getRemoteUser() value at runtime.

The reason I don't want to pass-in a parameter like this from the client-side JavaScript is that I want it to be "trustworthy". With something like the above configuration, I believe that would be possible. If we were careful to only issue API Keys to sites which we trust use this kind of server-side logic, it should be pretty safe for our service to trust the value of the remoteUser param. Of course, there are some other details that'd have to be addressed, like making sure that the api key is never exposed to clients and that clients cannot override the "remoteUser" param with their own value. But the first step I'd like to understand is whether jMaki has any support for this kind of dynamic server-side parameters (and, if not, what the prospects might be for adding it).

Thanks,
Jamey

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
gmurray71
Offline
Joined: 2003-07-31
Points: 0

Is there a way we can do this without binding it to the servlet API? Maybe we can base it on something in a http header? or even a property file? Once solution may be that we enable the xhp.json file to point at something like a JSP where we could do it pretty easy and it wouldn't have to be tied to JSP / Servlets. Would that work?

woodjr
Offline
Joined: 2007-01-30
Points: 0

Hi Greg,

> Is there a way we can do this without binding it to
> the servlet API?

I would think so. Even if you did just use syntax like $(REMOTE_USER), doesn't PHP (and any other envs jMaki support) have such a concept? From a bit of Googling, I see pages talking about a "$_SERVER['REMOTE_USER']" value in PHP? (But I'm anything but a PHP expert--so I could be wrong.)

> Maybe we can base it on something in
> a http header? or even a property file?

I'm not sure I understand how these would work. We certainly wouldn't want to trust an HTTP Header that's sent from the client (since avoiding client-alterable values is what we're explicitly trying to avoid). But if you mean an "HTTP Header" that is defined as part of the server environment's processing (such as how I think certain CGI variables are passed), it could be an option.

> Once solution
> may be that we enable the xhp.json file to point at
> something like a JSP where we could do it pretty easy
> and it wouldn't have to be tied to JSP / Servlets.
> Would that work?

Yeah, I think that'd definitely work for the case I'm trying to handle. The only caveat is that we'd want to make sure that the JSP is not exposed to clients (since, again, a key piece of the scenario I'm envisioning is ensuring that clients can't get a API Key values themselves and just spoof requests that way).

Thanks,
Jamey