java - How do I verify that the ETag is valid if the user does not pass If-None-Match? -
my first time ever hearing of 'etag'. have been able determine system i'm on, system uses etags validate item being submitted has not been altered prior submission of changes. if user has modified item system responds etag invalid. users using rest services had been created project , have not been altered in couple years. i'm working on jira based java application has rest services plugins.
now in regards etag, i'm @ loss here. our security scan on system marks header etag risk injection of code. perhaps i'm over-thinking but,
- is etag created , set code in application or created tomcat server?
- am take value of etag , compare make sure valid?
- how validate value etag valid?
- where validation occur if if-none-match provided request?
- how protect injection?
i've been reading posts on forum things dealing etag i'm not understanding what/how etag step 1 whatever last step is.
could use reference how i'm code this.
listing resources find:
is etag created , set code in application or created tomcat server?
if server tomcat , request static file on tomcat server, yes, created tomcat. if server apache httpd , request static file, yes. etag calculation algorithm of tomcat , apache httpd differs. there no standard specification etag calculation.
if request not static file, etag can/may added response http header.
am take value of etag , compare make sure valid?
as client side, can compare etag value other http response's (usually of same url).
as server side, can compare if-non-match should responded etag value. if value matches, should respond http 304.
how validate value etag valid?
usually server validates etag. can calculate etag value every each request. more usual etag values cached on server.
where validation occur if if-none-match provided request?
it depends on server implementation.
how protect injection?
etag value not inject anything. can used http request tracking cookie. see this article.
Comments
Post a Comment