Java Web Security Control examples in JSP learning, jspweb

Java Web Security Control examples in JSP learning, jspweb

This article describes Java Web security control in JSP learning. Share it with you for your reference. The details are as follows:

I. Objectives:

① Master the general process after logon;
② Added security control for each page;
③ Ability to share verification code;
④ Use the filter to verify the permission;
⑤ The local content of the file can be verified;
6. master the basic implementation methods of the security verification code;
7. enhance security through exception handling.

Ii. Main content:

① Modify the previous logon function to process the logon of the Administrator and common users respectively;
② Add control for pages accessible by administrators;
③ Share the control code on each page, use special files, and then call them as needed;
④ Use the filter to reduce the repeated verification code;
⑤ Complete the security control of partial page information through the standard tag library;
6. describes the basic implementation of the security verification code;

1. Improve the logon Function

Under normal circumstances, after successful logon, the Administrator's default work interface is displayed. After logon, a common user jumps to the default work interface of a common user. After a user fails to log on, the Administrator jumps to the logon interface to log on again.
To complete this function, you need to write the administrator interface and common user interface.
The file corresponding to the administrator interface is manager. jsp. The Code is as follows:

Manager. jsp code:
Copy codeThe Code is as follows: <% @ page contentType = "text/html; charset = gb2312" %>
Administrator operation interface

The file corresponding to the common user interface is commonuser. jsp. The Code is as follows:

Commonuser. jsp code:
Copy codeThe Code is as follows: <% @ page contentType = "text/html; charset = gb2312" %>
Common User Interface

Modify the logon Servlet. The modified code is as follows:

LoginProcess. java code:

Package servlet; import javabean. user; import java. io. IOException; import java. io. printWriter; import javax. servlet. requestDispatcher; import javax. servlet. servletException; import javax. servlet. http. httpServlet; import javax. servlet. http. httpServletRequest; import javax. servlet. http. httpServletResponse; import javax. servlet. http. httpSession; public class LoginProcess extends HttpServlet {public void doGet (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {doPost (request, response);} public void doPost (HttpServletRequest request, httpServletResponse response) throws ServletException, IOException {// obtain information String username = request. getParameter ("username"); String userpass = request. getParameter ("userpass"); // call JavaBean User user = new User (); user = user. findUserByName (username); String forward; if (user = null) {forward = "failure. jsp ";} else if (user. getUserpass (). equals (userpass) {if (user. getUsertype (). equals ("1") {forward = "manager. jsp ";} else {forward =" commonuser. jsp ";}} else {forward =" failure. jsp ";} RequestDispatcher rd = request. getRequestDispatcher (forward); rd. forward (request, response );}}

2. Add Security Control for each interface

After successfully logging on to the instance above, the administrator interface or common user interface will be displayed. However, if you enter the administrator interface directly, the logon interface will be skipped. For example, you can directly enter http: // 127.0.0.1: 8080/ch11/manager. jsp.

To solve this problem, security control should be added on every interface with security restrictions. Two tasks are required:

① Write user information to the session after logon;
② Obtain information from the session on each page for verification;

After logging on, write user information to the session. The modified LoginProcess. java code is as follows:

LoginProcess. java code:

Package servlet; import javabean. user; import java. io. IOException; import java. io. printWriter; import javax. servlet. requestDispatcher; import javax. servlet. servletException; import javax. servlet. http. httpServlet; import javax. servlet. http. httpServletRequest; import javax. servlet. http. httpServletResponse; import javax. servlet. http. httpSession; public class LoginProcess extends HttpServlet {public void doGet (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {doPost (request, response);} public void doPost (HttpServletRequest request, httpServletResponse response) throws ServletException, IOException {// obtain information String username = request. getParameter ("username"); String userpass = request. getParameter ("userpass"); // call JavaBean User user = new User (); user = user. findUserByName (username); // obtain the session object HttpSession session = request. getSession (true); String forward; if (user = null) {forward = "failure. jsp ";} else if (user. getUserpass (). equals (userpass) {if (user. getUsertype (). equals ("1") {// store the information session in the session object. setAttribute ("usertype", "1"); forward = "manager. jsp ";} else {session. setAttribute ("usertype", "0"); forward = "commonuser. jsp ";}} else {forward =" failure. jsp ";} RequestDispatcher rd = request. getRequestDispatcher (forward); rd. forward (request, response );}}

Taking commonuser. jsp as an example, this article describes how to implement security control in each file. The modified code is as follows:

Commonuser. jsp code:

<%@ page contentType="text/html;charset=gb2312"%><%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%><c:if test="${usertype!=/"0/"}">  <jsp:forward page="login.jsp"/></c:if>

Common User Interface

In this way, if you directly access commonuser. jsp without logon, the logon page will be displayed.

3. Use special documents for verification

Because many pages need to write verification code, you can share the code in a single file, and you need to call the shared file. The following uses commonuser. jsp as an example to describe how to share verification code.

Use a dedicated file to store shared code:

Check. jsp code:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%><c:if test="${usertype!=/"0/"}">  <jsp:forward page="login.jsp"/></c:if>

Import this specialized file into the file to be verified. Take commonuser. jsp as an example:

Commonuser. jsp code:

<%@ page contentType="text/html;charset=gb2312"%><%@ include file="check.jsp" %>

Common User Interface

Use the include command to include the target file. When converting JSP into a Java file, the code of the target file is copied to the current file.
Run the test again and the results are the same.

4. Use the filter to verify the permission

Put files with the same permission requirements in the same folder to filter folder access in a unified manner.

Compile the Servlet for filtering. The Code is as follows:

CommonCheck. java code:

Package servlet; import java. io. IOException; import javax. servlet. filter; import javax. servlet. filterChain; import javax. servlet. filterConfig; import javax. servlet. servletException; import javax. servlet. servletRequest; import javax. servlet. servletResponse; import javax. servlet. http. httpServlet; import javax. servlet. http. httpSession; import javax. servlet. http. httpServletRequest; import javax. servlet. http. extends; public class CommonCheck extends HttpServlet implements Filter {public void doFilter (ServletRequest arg0, ServletResponse arg1, FilterChain arg2) throws IOException, ServletException {// get session HttpSession session = (HttpServletRequest) arg0 ). getSession (true); // obtain the user type String usertype = (String) session. getAttribute ("usertype"); // determines if (usertype = null | usertype. equals ("1") {(HttpServletResponse) arg1 ). sendRedirect (". /.. /login. jsp ");} // continue to call other filters try {arg2.doFilter (arg0, arg1);} catch (Exception e) {}} public void init (FilterConfig arg0) throws ServletException {// TODO Auto-generated method stub }}

Configure the filter. The configuration of the filter is very similar to that of the Servlet. Add the following code in web. xml:

<filter>  <filter-name>CommonCheck</filter-name>  <filter-class>servlet.CommonCheck</filter-class></filter> <filter-mapping>  <filter-name>CommonCheck</filter-name>  <url-pattern>/commonuser/*</url-pattern> </filter-mapping>

Use/commonuser/* in url-pattern. In this way, as long as you access the commonuser folder, the filter will be accessed. If the user does not log on, the target file will not be accessible.

Test: To test the function, create a folder named commonuser and copy commonuser. jsp to the commonuser file.

The test procedure is as follows:

First access: http: // 127.0.0.1: 8080/ch11/commonuser. jsp, you will find that the login interface is displayed, that is, because the file in commonuser is accessed because the user has not logged on, the filter is processed, and then jumps to the login interface.

Enter the correct user name and password on the logon page, and then enter the above address in the address bar again. The content of the commonuser. jsp file is displayed. Indicates that the verification is successful.

5. Control the security of partial file content

This section describes security control at the file level. Sometimes, you need to perform security control on some content in the file, such as an item list interface. If the current user is an administrator, the management function can be completed in it, but not for common users. This requires local control. Local control is mainly implemented through the <c: if> label in the standard tag library.

6. Basic implementation of security verification Codes

Many websites adopt many security measures to enhance website security. For example, SSL access, ushield and traffic control card (ICBC), and information encryption. Security verification code is a popular and effective security measure. It can effectively solve the problem of cracking passwords by traversing all possible combinations.
The basic working principle is as follows: each time the client accesses the server, the server generates a verification code, which is displayed to the user in a graphical form, and the backup is retained on the server, when you submit the information, you must submit the verification code to the server at the same time. After the server receives the verification code, it will compare it with the server-side verification code. If the verification code is the same, it will be processed. If they are different, ask the user to re-enter them. Every time the password changes, if all users want to crack the password, they must first cope with the changed security verification code, which increases the difficulty of cracking.

7. Enhanced security through Exception Handling

Sometimes, users' attacks are based on the servers used by the website, because many servers have their own bugs. If the exception cannot be effectively handled, the error information is displayed on the client. The error information allows the customer to find the server version information, this provides convenience for malicious attacks.

For example, enter http: // 127.0.0.1: 8080/ch11/abc. jsp

Abc. jsp is a non-existent file. If it is not processed, the server information will be displayed on the client.

If you can handle various exceptions and prevent users from seeing the technologies and servers you are using, the customer will be more difficult to attack.

Once a student completed a website using JSP technology. After configuration, when the client accesses the website, all the file suffixes used are php, it makes people feel like a website written using php Technology.

I hope this article will help you with JSP program design.