Embodiments of the present invention relate to Web applications, and more particularly relate to a secure framework for invoking server-side Application Programming Interfaces (APIs) from client-side Web Application code using AJAX (Asynchronous JavaScript and XML).
Java® and JavaScript® are registered trademarks of Oracle and/or its affiliates.
Web applications are typically composed of two code layers: a client-side layer (comprising, e.g., one or more Web pages written in HTML, JavaScript, etc.) that is interpreted in a client Web browser and is responsible for the visual presentation of the Web application to a user, and a server-side layer (comprising, e.g., one or more programs written in Java, JSP, Perl, ASP, etc.) that runs on a Web server and is responsible for executing application functions and generating client-side code. Traditionally, these two layers interact according to a synchronous model. For example, if a particular Web page needs to submit data to server-side code running on a Web server, the client Web browser sends an HTTP request to the Web server and waits for a response. The server-side code then processes the request and returns an HTTP response to the Web browser, which causes the browser to reload the Web page (or load a new page) with the contents of the response.
A problem with this synchronous model of communication is that it requires the client-side Web page to be refreshed each time data is sent between the Web browser and Web server. Although this type of behavior may be acceptable for simple Web applications, it can be problematic for more complex Web applications that send frequent requests to (or receive frequent updates from) a Web server. In these cases, each request/update causes the entire client-side Web page to be redrawn, resulting in an awkward and unintuitive user interface experience.
To address the foregoing, various technologies have been developed in recent years that enable asynchronous communication between a Web browser and Web server. One such technology, known as AJAX (Asynchronous JavaScript and XML), makes use of JavaScript on the client-side to send a request to a Web server and to poll for a response in the background. When a response from the Web server is received, the contents of the response are displayed in the client-side Web page without reloading the entire page. Since the communication between the Web browser and Web server occurs independently of the visual presentation of the Web page to the user, a much more responsive and dynamic user interface experience can be achieved.
AJAX is particularly useful for Web applications that need to invoke server-side functions (e.g., Java APIs) from client-side code (e.g., JavaScript). For example, the “Google Suggest” feature found on www.google.com uses client-side JavaScript to invoke a server-side API when a user enters search terms into a text field. The server-side API returns a list of suggested search terms based on the user-entered terms and the list is displayed in a drop-down list in the text field. In this implementation, AJAX is used to asynchronously invoke the server-side API and dynamically display the list of suggested search terms without having to refresh the client-side Web page. A number of existing Web application frameworks, such as Direct Web Remoting (DWR) and Google Web Toolkit (GWT), enable this type of asynchronous remote procedure call functionality.
However, a significant problem with existing frameworks like DWR and GWT is that they do not adequately address the many different types of security vulnerabilities that are inherent in AJAX-based Web applications. Accordingly, it would be desirable to have a framework for invoking server-side APIs from client-side code using AJAX that provides a comprehensive defense against most, if not all, common security attacks.