I want some content of my web site to be dynamically loaded after login. A $.post(...)
interacts with a servlet which validates the user's credentials, and then a $.load(url)
loads the content from a separate page into a <div>
. I noticed that, as long as I know where to fetch the content from, I can force this behavior from the Chrome JavaScript console, bypassing validation.
How can I prevent a user from doing this?
You can't.
Once a document has been delivered to the user's browser it is completely under the control of the user. They can run any JS they like.
The URLs you present on your webserver are the public interface to it. Anyone can request them. You can use authentication/authorization to limit who gets a response, but you can't make that response conditional on the user running specific JavaScript that you supply.
The server needs to authorize the user each time it delivers restricted data. You can't do it once and then trust the browser to enforce it.