JSP Learning in Java Web Security Control example detailed _jsp programming

This article illustrates the security control of JSP learning in the Java Web. Share to everyone for your reference. Specifically as follows:

First, the goal:

① Master Login After the general processing process;
② can add security control to each page;
③ can share authentication code;
④ use filters to authenticate permissions;
⑤ can verify the local content of the file;
⑥ grasp the basic implementation of security verification code;
⑦ enhances security through exception handling.

Second, the main content:

① by modifying the previous login function, the administrator and the ordinary user login to deal with;
② to add control for pages that administrators can access;
③ share control code in each page, use specialized files, and then call when needed;
④ use filters to reduce duplicate verification code;
⑤ through the standard tag library to complete the page local Information security control;
⑥ introduces the basic implementation of security verification code;

1. Perfect login function

Under normal circumstances, the administrator login succeeds after the user jumps to the administrator default working interface, normal users log in to jump to the normal user default working interface, user login failed to jump to the login interface to login again.
To complete this function, you need to write an administrator interface and a common user interface.
The corresponding file for the admin interface is manager.jsp, the code is as follows:

Manager.jsp Code:

Copy Code code as follows:

<%@ page contenttype= "text/html;charset=gb2312"%>

Administrator Action Interface

The normal user interface corresponding to the file is commonuser.jsp, the code is as follows:

Commonuser.jsp Code:

Copy Code code as follows:

<%@ page contenttype= "text/html;charset=gb2312"%>

Common User Interface

Modify the logged in servlet with the following modified code:

Loginprocess.java Code:

Package servlet; Import JavaBean.
User;
Import java.io.IOException;
Import Java.io.PrintWriter;
Import Javax.servlet.RequestDispatcher;
Import javax.servlet.ServletException;
Import Javax.servlet.http.HttpServlet;
Import Javax.servlet.http.HttpServletRequest;
Import Javax.servlet.http.HttpServletResponse;
Import javax.servlet.http.HttpSession; public class Loginprocess extends HttpServlet {public void doget (HttpServletRequest request, HttpServletResponse resp
    Onse) throws Servletexception, IOException {doPost (request,response); public void DoPost (HttpServletRequest request, httpservletresponse response) throws Servletexception, IOE
       Xception {//Get information String username = request.getparameter ("username");
       String Userpass = Request.getparameter ("Userpass");
       Call JavaBean User user = new user ();
       user = User.finduserbyname (username);
       String forward; if (user==null) {forward= "failure.jsP "; }else if (User.getuserpass (). Equals (Userpass)) {if (User.getusertype (). Equals ("1")) {forward= "Manag"
           Er.jsp ";
           } else{forward= "commonuser.jsp";
       }}else{forward= "failure.jsp";
       RequestDispatcher rd = Request.getrequestdispatcher (forward);
    Rd.forward (Request,response);

 }
}

2. Add security control for each interface

A successful login in the above instance jumps to the admin interface or the normal user interface, but if the user enters the administrator interface directly, the login interface is skipped. For example, users can enter directly: http://127.0.0.1:8080/ch11/manager.jsp.

To solve this problem, security controls should be added to each interface with security restrictions. Two tasks need to be done:

① writes the user's information to the session after logging in;
② in each page, from the session to obtain information to verify;

After logging in, the user information is written to the session, and the following is the modified Loginprocess.java code:

Loginprocess.java Code:

Package servlet; Import JavaBean.
User;
Import java.io.IOException;
Import Java.io.PrintWriter;
Import Javax.servlet.RequestDispatcher;
Import javax.servlet.ServletException;
Import Javax.servlet.http.HttpServlet;
Import Javax.servlet.http.HttpServletRequest;
Import Javax.servlet.http.HttpServletResponse;
Import javax.servlet.http.HttpSession; public class Loginprocess extends HttpServlet {public void doget (HttpServletRequest request, HttpServletResponse resp
    Onse) throws Servletexception, IOException {doPost (request,response); public void DoPost (HttpServletRequest request, httpservletresponse response) throws Servletexception, IOE
       Xception {//Get information String username = request.getparameter ("username");
       String Userpass = Request.getparameter ("Userpass");
       Call JavaBean User user = new user ();
       user = User.finduserbyname (username); Get Session Object HttpSession session = Request.getsession (true);
       String forward;
       if (user==null) {forward= "failure.jsp"; }else if (User.getuserpass (). Equals (Userpass)) {if (User.getusertype (). Equals ("1")) {//In the Session object
              Storage information Session.setattribute ("Usertype", "1");
           Forward= "manager.jsp";
              } else{Session.setattribute ("usertype", "0");
           Forward= "commonuser.jsp";
       }}else{forward= "failure.jsp";
       RequestDispatcher rd = Request.getrequestdispatcher (forward);
    Rd.forward (Request,response);

 }
}

Take commonuser.jsp as an example of how to control security in each file, following the modified code:

Commonuser.jsp Code:

<%@ page contenttype= "text/html;charset=gb2312"%>
<%@ taglib prefix= "C" uri= "http://java.sun.com/jsp/" Jstl/core "%> <c:if test= ${usertype!=/" 0/"
}" > <jsp:forward page= "login.jsp"/> </c
: If>

Common User Interface

This way, if you do not log in and access commonuser.jsp directly, you will jump to the login interface.

3, the use of special documents to verify

Because many pages have to write validated code, you can put this code in a file to share, need to use the call to share files. The following still takes commonuser.jsp as an example of how to implement the sharing of validation code.

Use specialized files to store shared code:

Check.jsp Code:

<%@ taglib prefix= "C" uri= "Http://java.sun.com/jsp/jstl/core"%> <c:if test=
"${usertype!=/" 0/"}" >
  <jsp:forward page= "login.jsp"/>
</c:if>

Import this specialized file in a file that needs to be validated. Take commonuser.jsp as an example:

Commonuser.jsp Code:

<%@ page contenttype= "text/html;charset=gb2312"%>
<%@ include file= "check.jsp"%>

Common User Interface

Using the include directive to include the target file, the code of the target file is copied to the current file when the JSP is converted into a Java file.
Run the test again and the results are the same.

4, use the filter to verify the permissions

The files with the same permission requirements are placed under the same folder, and the access to the folder is filtered uniformly.

Write the servlet for filtering, the following code:

Commoncheck.java Code:

Package servlet;
Import java.io.IOException;
Import Javax.servlet.Filter;
Import Javax.servlet.FilterChain;
Import Javax.servlet.FilterConfig;
Import javax.servlet.ServletException;
Import Javax.servlet.ServletRequest;
Import Javax.servlet.ServletResponse;
Import Javax.servlet.http.HttpServlet;
Import javax.servlet.http.HttpSession;
Import Javax.servlet.http.HttpServletRequest;
Import Javax.servlet.http.HttpServletResponse;  public class Commoncheck extends HttpServlet implements Filter {public void Dofilter (ServletRequest arg0, Servletresponse Arg1, Filterchain arg2) throws IOException, servletexception {//get session HttpSession session = ((HttpS
    ervletrequest) arg0). GetSession (True);
    Get user type String usertype = (string) session.getattribute ("usertype"); To determine if (Usertype==null | | usertype.equals ("1")) {(HttpServletResponse) arg1). Sendredirect ("./..
    /login.jsp ");
    //Continue to invoke other filters try{arg2.dofilter (arg0, arg1); }catch (excePtion e) {}} public void init (Filterconfig arg0) throws Servletexception {//TODO auto-generated method stub}}

 

Configure the filter, and the configuration of the filter is very similar to that of the servlet, adding the following code in Web.xml:

<filter>
  <filter-name>CommonCheck</filter-name>
  <filter-class>servlet. commoncheck</filter-class>
</filter>
 <filter-mapping>
  <filter-name> commoncheck</filter-name>
  <url-pattern>/commonuser/*</url-pattern>
 </ Filter-mapping>

/commonuser/* is used in url-pattern so that the filter is accessed whenever the Commonuser folder is accessed, and the target file cannot be accessed if the user is not logged in.

Test: To test the need to create a folder Commonuser, copy commonuser.jsp to the Commonuser file.

The test process is as follows:

First Direct access: http://127.0.0.1:8080/ch11/commonuser/commonuser.jsp, you will find that the login interface is displayed, because there is no login to access the file in Commonuser, filter processing, and then jump to the login interface.

Then enter the correct username and password in the login interface, and then enter the address in the address bar again, and you will see the contents of the commonuser.jsp file. Represents a validation pass.

5, the security of the local content of the file control

All of the above are file-level security controls, sometimes there is a need for security control of some of the contents of the file, such as the object Information list interface, if the current user is an administrator, you can complete the management function, but for ordinary users, but not, this requires local control. The local control is mainly done through the <c:if> tags in the standard tag library.

6. The basic realization way of security verification code

To enhance the security of the site, many sites use a lot of security measures. For example, SSL access, U shield and Password Card (ICBC), information encryption and so on. Security verification code is now a more popular effective security measures, can effectively solve the user through all possible combinations to crack the password problem.
The basic working principle is as follows: Every time the client accesses the server, the server generates the authentication code, displays the graph to the user, simultaneously maintains the backup on the server, the user needs to submit the authentication code to the server at the same time when submitting the information, the server receives the authentication code to compare with the server side verification code, If the same is handled. If different, let the user re-enter. Because each time changes, all users if want to crack the password, first of all to deal with the change of security authentication code, so it increased the difficulty of cracking.

7. Enhance security through exception handling

Sometimes the user's attack is based on the server used by the site, because many servers have their own bugs. If an exception cannot be processed effectively, the error message is displayed on the client, which allows the customer to discover the server's version information from the error message, which provides a convenient condition for the user's malicious attack.

For example, for input: http://127.0.0.1:8080/ch11/abc.jsp

While abc.jsp is a nonexistent file, the server's information is displayed at the client if it is not processed.

If you can handle a variety of exceptions, so that users do not see the technology and the server you use, so the customer attacks the difficulty is increased.

Once a student has done such a thing: using JSP technology to complete a Web site, and then through configuration, client access, the use of the file suffix is PHP, the feeling is like the use of PHP technology to write a website.

I hope this article will help you with the JSP program design.