Hi All,

I have a Java Applet on my server that connects to a CGI file on the same server. I want the CGI file to execute only if it's run by the Java Applet. What are some ways of doing this?

Because of Java Applet security, applets cannot connect to any website other than the site it's being hosted on. Despite being actually run on client computers, the applet still has a way of determining it's originating host.

If there is a way my CGI program can determine the client's originating host, so my CGI application is only executed if it's being called from my Applet, that would be great.

Thanks for your time,
Ben Barrett

Hi Barret, you can achieve what you want using the enviroment variables. here is a good page with info on how to use them and all the Env variables there are in perl, you can get the host name, request ip, browser info, everything, in case the apple runnin on your server is going to make the request then then REMOTE_HOST should do the trick if I am not mistaken, good luck

http://www.cgi101.com/class/ch3/text.html

Calilo

I'm making some progress now :)

I don't think my server has REMOTE_HOST enabled, and REMOTE_ADDR just returns the IP of the client running the Java applet.

My idea for now is to use HTTP_USER_AGENT, because it lists your Java version if you're connecting with Java, as well as the browser you're using.

Here's what I hope it can check for and make sure of:

Can't connect directly to my .CGI without Java

Can't write your own Java applications because I'll check to make sure you're using a browser as well.

Can't write your own Java applets because they can only directly connect to files on it's own server (And hopefully if applets use middleman files to connect to my .CGI, the HTTP_USER_AGENT will reflect that)

If you're familiar in Java, does this look possible?

Is it possible to spoof environment variables?

Thanks for your time,
Ben

You would want to look at the referrer of the user and match it to your host or applet page :my $host = "http://$ENV{'HTTP_HOST'}";
my $referer = $ENV{'HTTP_REFERER'};
if($referer !~ /^$host/i){
print "Content-type: text/html\n\n";
print "<p>Access denied for $referer. Submissions accepted from $host only";
exit;
}

my $host = "http://$ENV{'HTTP_HOST'}";
my $referer = $ENV{'HTTP_REFERER'};
if($referer !~ /^$host/i)
{
print "Content-type: text/html\n\n";
print "<p>Access denied for $referer. Submissions accepted from $host only";
exit;
}

I tried this, but when my applet connects to the .CGI file, nothing is in the HTTP_REFERER variable. I'm guessing Java applets don't send that information, because I'm pretty sure the variable is available on my server.

I tried this, but when my applet connects to the .CGI file, nothing is in the HTTP_REFERER variable. I'm guessing Java applets don't send that information, because I'm pretty sure the variable is available on my server.

No, the HTTP_REFERER only have values when you are taken from one site to another. For example, you have a link that is taking you to a CGI script displaying the HTTP_REFERER variable. You click on that link and you are being taken to the CGI script. Now the CGI script should display the URL where you were taken from.

If you call the script directly, then there should be no values assigned to HTTP_REFERER ~

You can use the HTTP_USER_AGENT to check what client the user is connecting to the CGI script ~
But I know there are ways you can change the HTTP_USER_AGENT (to Java in this case) to bypass your validation.

Yeah, I've been looking at using HTTP_USER_AGENT for now, but hopefully I'll find a permanent solution (But can anyone really write unbreakable code).

If I set file permissions on my CGI file to only execute, does that mean that my .CGI files cannot be downloaded and viewed?

If that's true, then I would at least have that on my side, that potential hackers don't know the methods I use to determine where it's run from.