Detailed Explanation of Security Control Examples in JSP Learning Java Web
- 2021-07-26 08:39:10
- OfStack
This article illustrates the security control in Java and Web of JSP learning. Share it for your reference. The details are as follows:
1. Objectives:
(1) Master the first processing process after logging in;
② Can add security control for each page;
③ Able to share verification codes;
4. Use filters to verify permissions;
⑤ Be able to verify the local contents of the document;
⑥ Master the basic implementation mode of security verification code;
⑦ Enhance security through exception handling.
2. Main contents:
(1) By modifying the previous login function, the login of administrators and ordinary users is processed respectively;
② Add control to pages that administrators can access;
Share the control codes in each page, use special files, and then call them when necessary;
Use filters to reduce duplicate verification codes;
5. Complete the security control of local information on the page through the standard tag library;
⑥ Introduce the basic implementation mode of security verification code;
1. Improve the login function
Under normal circumstances, the administrator jumps to the default working interface of the administrator after logging in successfully; After logging in, ordinary users jump to the default working interface of ordinary users; After the user fails to log in, jump to the login interface and log in again.
In order to accomplish this function, you need to write an administrator interface and a common user interface.
The file corresponding to the administrator interface is manager. jsp, and the code is as follows:
manager. jsp code:
<%@ page contentType="text/html;charset=gb2312"%>Administrator operation interface
The file corresponding to the general user interface is commonuser. jsp, and the code is as follows:
commonuser. jsp code:
<%@ page contentType="text/html;charset=gb2312"%>Common user interface
Modify the login Servlet, and the modified code is as follows:
LoginProcess. java code:
package servlet;
import javabean.User;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class LoginProcess extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request,response);
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// Getting information
String username = request.getParameter("username");
String userpass = request.getParameter("userpass");
// Call JavaBean
User user = new User();
user = user.findUserByName(username);
String forward;
if(user==null){
forward="failure.jsp";
}else if(user.getUserpass().equals(userpass)){
if(user.getUsertype().equals("1")){
forward="manager.jsp";
}
else{
forward="commonuser.jsp";
}
}else{
forward="failure.jsp";
}
RequestDispatcher rd = request.getRequestDispatcher(forward);
rd.forward(request,response);
}
}
2. Add security controls to each interface
In the above example, after successful login, you will jump to the administrator interface or the normal user interface, but if the user directly enters the administrator interface, the login interface will be skipped. For example, users can directly enter: http://127.0.0.1: 8080/ch11/manager.jsp.
To solve this problem, security control should be added to every interface with security restrictions. There are two tasks that need to be done:
(1) After logging in, the user's information is written into session;
② In each page, obtain information from session for verification;
Write user information to session after logging in, and the following is the modified LoginProcess. java code:
LoginProcess. java code:
package servlet;
import javabean.User;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class LoginProcess extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request,response);
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// Getting information
String username = request.getParameter("username");
String userpass = request.getParameter("userpass");
// Call JavaBean
User user = new User();
user = user.findUserByName(username);
// Get session Object
HttpSession session = request.getSession(true);
String forward;
if(user==null){
forward="failure.jsp";
}else if(user.getUserpass().equals(userpass)){
if(user.getUsertype().equals("1")){
// In session Storing information in an object
session.setAttribute("usertype","1");
forward="manager.jsp";
}
else{
session.setAttribute("usertype","0");
forward="commonuser.jsp";
}
}else{
forward="failure.jsp";
}
RequestDispatcher rd = request.getRequestDispatcher(forward);
rd.forward(request,response);
}
}
Take commonuser. jsp as an example to show how to do security control in each file. Here is the modified code:
commonuser. jsp code:
<%@ page contentType="text/html;charset=gb2312"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<c:if test="${usertype!=/"0/"}">
<jsp:forward page="login.jsp"/>
</c:if>
Common user interface
In this way, if you access commonuser. jsp directly without logging in, you will jump to the login interface.
3. Use special documents for verification
Because many pages need to write verification code, you can share these codes in a file, and call the shared file if necessary. Let's still use commonuser. jsp as an example to show how to share validation code.
Use a special file to store shared code:
check. jsp code:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<c:if test="${usertype!=/"0/"}">
<jsp:forward page="login.jsp"/>
</c:if>
Import this special file in the file that needs to be verified. Take commonuser. jsp as an example:
commonuser. jsp code:
<%@ page contentType="text/html;charset=gb2312"%>
<%@ include file="check.jsp" %>
Common user interface
Use the include instruction to include the object file. When converting JSP to Java file, the code of the object file will be copied to the current file.
Run the test again, and the result is the same.
4. Use filters to verify permissions
Put files with the same permission requirements in the same folder, and filter the access to the folder in a unified way.
Write Servlet for filtering with the following code:
CommonCheck. java code:
package servlet;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class CommonCheck extends HttpServlet implements Filter {
public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain arg2) throws IOException, ServletException {
// Get session
HttpSession session = ((HttpServletRequest)arg0).getSession(true);
// Get the user type
String usertype = (String)session.getAttribute("usertype");
// Make a judgment
if(usertype==null || usertype.equals("1")){
((HttpServletResponse)arg1).sendRedirect("./../login.jsp");
}
// Continue to call other filters
try{
arg2.doFilter(arg0, arg1);
}catch(Exception e){}
}
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
}
Configure the filter, the configuration of the filter is very similar to that of Servlet, add the following code in web. xml:
<filter>
<filter-name>CommonCheck</filter-name>
<filter-class>servlet.CommonCheck</filter-class>
</filter>
<filter-mapping>
<filter-name>CommonCheck</filter-name>
<url-pattern>/commonuser/*</url-pattern>
</filter-mapping>
/commonuser/* is used in url-pattern, so that whenever you access the folder commonuser, the filter will be accessed, and if the user is not logged in, the target file will not be accessible.
Test: To test the need to create a folder commonuser, copy commonuser. jsp into the commonuser file.
The test process is as follows:
First, visit directly: http://127.0.0.1: 8080/ch11/commonuser/commonuser. jsp, and you will find that the login interface is displayed, that is, you accessed the files in commonuser because you didn't log in, and the filter processed them, and then jumped to the login interface.
Then enter the correct user name and password in the login interface, and then enter the above address in the address bar again, which will show the contents of the commonuser. jsp file. Indicates that the verification passed.
5. Control the security of local contents of files
The previous introduction is file-level security control. Sometimes, it is necessary to carry out security control on some contents in the file, such as the interface of item information list. If the current user is an administrator, the management function can be completed in it, but for ordinary users, it is not possible, which requires local control. Local control is mainly through the standard tag library < c:if > Label to complete.
6. The basic implementation of security verification code
In order to enhance the security of websites, many websites have adopted many security measures. Such as SSL access, U shield and password card (ICBC), information encryption, etc. Security verification code is a popular and effective security measure, which can effectively solve the problem that users crack passwords by traversing all possible combinations.
The basic working principle is as follows: Every time a client accesses the server, The server will generate the verification code and display it to the user in the form of graphics, while keeping a backup on the server. When submitting information, the user needs to submit the verification code to the server at the same time. After receiving the verification code, the server compares it with the verification code on the server side, and if it is the same, it will be processed. If not, ask the user to re-enter. Because it changes every time, if all users want to crack passwords, they must first deal with the changed security verification code, which increases the difficulty of cracking.
7. Enhance security through exception handling
Sometimes user attacks are based on the server used by the website, because many servers have their own bug. If the exception can not be handled effectively, the error information will be displayed in the client, and the client can find the version information of the server from the error information, which provides convenient conditions for malicious attacks by users.
For example, for input: http://127.0. 0.1: 8080/ch11/abc.jsp
abc. jsp is a file that does not exist. If it is not processed at this time, the server information will be displayed on the client.
If you can handle all kinds of exceptions without letting users see the technology and server you are using, it will be more difficult for customers to attack.
Once a student did such a thing: a website was completed by using JSP technology, and then after configuration, when the client visited, the file suffix used was php, which gave people the feeling that it was a website written by php technology.
I hope this article is helpful to everyone's JSP programming.