Client-Server Proxy

Client-Server Proxy
Client-server proxy is sometimes also known as client/SOA. Client-server proxy
applications have two main determining factors: they rarely require a full page reload
during usage, and session state is mostly handled by the client. Due to the lack of full
page reloads, the client-server proxy style of AJAX applications is often described as
“wrapping an AJAX GUI around a web service.”
In the proxy style of AJAX application, the JavaScript that will be executed in a client’s web browser can be generated in two ways. The first way is for the JavaScript
methods to be prerendered on the server and then sent down to the client. These methods are generally named the same or quite similar to methods on the server. When the
client receives the JavaScript methods from the server, the methods are simply plugged
into an eval()and executed. The other style generating the JavaScript is for the server
to send down a chunk of JavaScript to the client, which, once executed, is able to generate new JavaScript methods on the fly. This JavaScript generates methods on the fly by
reading a list of methods defined by the server in a file such as a Web Services Description Language (WSDL) file. In practice, the prerendered style of generating JavaScript is
more commonly seen in real-world AJAX applications, while on-the-fly generation is
usually seen only with web applications that use Simple Object Access Protocol
(SOAP).
Despite the number of different client-server proxy frameworks in existence, the steps
involved with creating a proxy style AJAX web application are generally the same:
1. The framework looks at server-side code, such as a Java web application, where
certain methods are tagged as public.
2. The framework is told which of these functions are to be exposed to clients. 3. Framework code then automatically goes through and tags these methods and
generates a JavaScript proxy that puts methods, often of the same name, into
the web browser.
4. Then, whenever the client makes a method call in JavaScript, the call is passed
on to the JavaScript proxy and then on to the actual method being called.
This allows for easy abstraction, for example, if one development team is working on
the actual application and another team is working on web design. The web design team
can simply be handed a file of JavaScript methods that can be called to perform work
when needed, without having to interact with the behind-the-scenes Java application. A
client-server proxy style application such as this requires the client to contain all of the
available methods, because, due to the asynchronous nature of AJAX, any method can be
called at any time. For this reason, a client-server proxy style AJAX implementation is
quite interesting and useful from an attacker’s perspective.