1. Field of the Invention
The present invention relates generally to client-server computing systems, and more particularly to a method and system for protecting publicly viewable web client reference to server side resources.
2. Description of the Related Art
In web-based applications, an application passes reference to a server-side resource or application logic onto the client in response to the server-side resource request. These references, in the form of tokens, are used by the clients using JavaScript to make requests back to the application logic on the server for processing or updating. Some examples of such references are a method or a value binding expression in HTML markup generated by JavaServer Faces™ components rendered in an HTML page. In order to reference re-usable server-side resources such as components, methods or value binding expressions, a client requesting the server-side resources will store references to the server-side resources on the client and use the stored references during subsequent requests for the server-side resources from the server. These references retained at the client, however, are transparent to the users as they are not embedded within a Java code but are provided as parameters when requesting these resources from the server. These server side resource references may reflect the underlying data model of the server side application and may expose these data models to clients and other users when making requests for server side resources. Using the data model of the server side portion of an application, one can directly access the application logic associated with the server side resources, which may create security threat to the server side resources.
In order to hide application specific resources from view of the public, requests in the form of cookies with incorporated session Ids and/or random generated URL to map a session of a user to a browser are used. This mechanism of accessing the server side resources using session ids and randomly generated URLs are, however, transparent to the developers and does not solve the technical problem associated with exposing the server side application data models to the public.
In view of the foregoing, there is a need for a method and system that will overcome the aforementioned problems by protecting publicly viewable client references to server side resources and business logic that can be implemented easily and efficiently across all server platforms.