Jsp security issues. When someone else knows the URL of a jsp file, they can skip the login page and directly access the jsp file. This prevents access by external users without permission. This article discusses how users who pass permission verification can access a specific page.
JSP page Verification involves sessions, web page permissions, and user verification.
Session Object
The session object is used to store all information about user sessions. A session is a call between the browser and the server. It contains multiple requests and responses between the browser and the server. Session is a built-in JSP object that corresponds to the browser one by one. It allows users to store and extract session status information, and the information is stored on the server.
Session Information Acquisition
1) JSP
Session. setAttribute ("userinfo", USERNAME); // session stores logon information and User Name
2) Java (Servlet)
Request. getSession (). setAttribute ("userinfo", USERNAME); // session stores logon information and User Name
The request is an HttpServletRequest object, which is referenced in doPost (HttpServletRequest request, HttpServletResponse response) {...}.
Session timeout settings
1) web. xml
<? Xml version = "1.0" encoding = "UTF-8"?>
<Web-app>
...
<Session-config>
<Session-timeout> 30 </session-timeout> <! -- The unit is minute, for example, 30 minutes -->
</Session-config>
</Web-app>
2) Java
Request. getSession (). setMaxInactiveInterval (30*60); // set the session expiration time (timeout), in seconds
Note: setMaxInactiveInterval () has a higher priority than web. xml. If both are set, setMaxInactiveInterval () is used ()
JSP webpage Permissions
JSP webpage permissions, which can be configured in two ways:
1) include File
For example, the verification file logincheck. jsp
[Html]
<%
If (session. getAttribute ("userinfo") = null ){
%>
<Script type = "text/javascript" language = "javascript">
Alert ("You have not logged on, please log on ...");
Required parameter Doc ument. location. href = "userlogin.html ";
</Script>
<%
}
%>
Add logincheck. jsp to the start position of the jsp page to be verified. For example, add
<% @ Include file = "logincheck. jsp" %>
2) filter
First, set the filter page in the web. xml configuration file.
[Html]
<Filter>
<Filter-name> LoginFilter </filter-name>
<Filter-class> com. homer. LoginFilter </filter-class>
</Filter>
<Filter-mapping>
<Filter-name> LoginFilter </filter-name>
<Url-pattern>/page222.jsp </url-pattern>
</Filter-mapping>
Note: currently, the configuration method is only used when the user accesses page222.jsp. You can also configure directories such as/* And/user/* for batch web page filtering.
Then, perform filtering verification in the LoginFilter. java (com. homer. LoginFilter in the web. xml configuration file:
[Java
Public class LoginFilter implements Filter {
@ Override
Public void init (FilterConfig arg0) throws ServletException {
}
@ Override
Public void doFilter (ServletRequest arg0, ServletResponse arg1, FilterChain arg2) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
HttpSession session = request. getSession ();
If (session. getAttribute ("userinfo") = null ){
Response. setCharacterEncoding ("UTF-8 ");
PrintWriter out = response. getWriter ();
Out. print ("<script> alert ('you have not logged on, please log on... '); Using location='userlogin.html' </script> ");
Out. flush ();
Out. close ();
// Request. setAttribute ("loginError", "You have not logged on. Please log on ...");
// Request. getRequestDispatcher ("userlogin.html"). forward (request, response );
} Else {
Arg2.doFilter (request, response );
}
}
@ Override
Public void destroy (){
}
}
User Logon Verification
There are two methods for user login verification: JSP web front-end and Java (Serlvet) Background
1) JSP web page front-end verification (login. jsp)
[Html]
<%
String USERNAME = "admin ";
String userpwds = "123456 ";
Request. setCharacterEncoding ("utf8 ");
String userName = request. getParameter ("username"). trim ();
String userPwd = request. getParameter ("userpwd"). trim ();
If (userName = null | userPwd = null ){
Response. sendRedirect ("userlogin.html ");
Return;
}
If (userName. equals (USERNAME) & userPwd. equals (USERPWD )){
Session. setMaxInactiveInterval (30*60); // sets the session expiration time (timeout), in seconds.
Session. setAttribute ("userinfo", USERNAME); // the USERNAME and password are correct. Save the logon information.
Response. sendRedirect ("page111.jsp ");
} Else {
Response. sendRedirect ("userlogin.html"); // the user name and password are incorrect. The logon page is displayed.
}
%>
2) Java (Serlvet) Background verification (Login. java)
[Java]
Public class Login extends HttpServlet {
Private static final long serialVersionUID = 1L;
Private final static String USERNAME = "admin ";
Private final static String USERPWD = "123456 ";
@ Override
Protected void doGet (HttpServletRequest request, HttpServletResponse response ){
}
@ Override
Protected void doPost (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Request. setCharacterEncoding ("UTF-8 ");
String userName = request. getParameter ("username"). trim ();
String userPwd = request. getParameter ("userpwd"). trim ();
If (userName = null | userPwd = null ){
Response. sendRedirect ("userlogin.html ");
}
If (userName. equals (USERNAME) & userPwd. equals (USERPWD )){
Request. getSession (). setMaxInactiveInterval (30*60); // set the session expiration time (timeout), in seconds
Request. getSession (). setAttribute ("userinfo", USERNAME); // the user name and password are correct. Save the logon information (the session is slightly different from the jsp page)
Response. sendRedirect ("page111.jsp ");
} Else {
Response. sendRedirect ("userlogin.html"); // the user name and password are incorrect. The logon page is displayed.
}
}
}
Specifically, you need to configure the Servlet ing in web. xml:
[Html]
<Servlet>
<Description> Login </description>
<Display-name> Login </display-name>
<Servlet-name> Login </servlet-name>
<Servlet-class> com. homer. Login </servlet-class>
</Servlet>
<Servlet-mapping>
<Servlet-name> Login </servlet-name>
<Url-pattern>/login </url-pattern>
</Servlet-mapping>
Note: Login. java maps to/login as a sample webpage. login can be specified in the webpage (html and jsp) form, for example, action = "login"
User Logon Interface
The user login interface is accessed by the user before accessing the entire website. Therefore, it is best to make a static page HTML, for example, userlogin.html.
[Html]
<! DOCTYPE html PUBLIC "-// W3C // dtd html 4.01 Transitional // EN" "http://www.w3.org/TR/html4/loose.dtd">
<Html>
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8">
<Title> userlogin.html </title>
</Head>
<Body>
<Center>
<Form method = "POST" name = "form1" action = "login">
<Table>
<Tr>
<Td> UserName: </td>
<Td> <input type = "text" name = "username"/> </td>
</Tr>
<Tr>
<Td> UserPwd: </td>
<Td> <input type = "text" name = "userpwd"/> </td>
</Tr>
<Tr>
<Td colspan = "2" align = "center">
<Input type = "submit" name = "btnSubmit" value = "login"/>
</Td>
</Tr>
</Table>
</Form>
</Center>
</Body>
</Html>
Note: action = "login" corresponds to the Login. Java in java (Servlet) for verification parsing by default.
Userlogin.html provides two methods for user login authentication:
1) for JSP
<Form method = "POST" name = "form1" action = "login. jsp">
2) Java (Servlet) Method
<Form method = "POST" name = "form1" action = "login">
Code example
The main code structure in this example is as follows:
1) head. jsp and foot. jsp
Unified Control of top and bottom content of jsp pages, similar to ASP. NET templates
2) index. jsp
The default logon page of the website. This example is used to jump to the logon page userlogin.html:
<Script type = "text/javascript" language = "javascript">
Window. location = "userlogin.html ";
</Script>
32.16userlogin.html
On the static logon page, see the preceding User Logon page.
4) login. jsp and Login. java www.2cto.com
Login. jsp web page to verify the user login information (user name and password), see the above user login authentication method 1
The Login. java background verifies the user logon information (username and password). See the above User Logon verification method 2.
5) logincheck. jsp and LoginFilter. java
Logincheck. jsp web page to verify whether the user has logged on, see the preceding JSP web page permission method 1
The LoginFilter. java background verifies whether the user has logged on. See the preceding JSP webpage permission method 2.
6) page111.jsp, page222.jsp, and page333.jsp
(1) page111.jsp
Use logincheck. jsp for web page permission verification. The Code content is:
<% @ Include file = "logincheck. jsp" %>
<% @ Include file = "head. jsp" %>
I am page111.jsp
<% @ Include file = "foot. jsp" %>
(2) page222.jsp
Use logincheck. jsp for web page permission verification. The Code content is:
<% @ Include file = "head. jsp" %>
I am page222.jsp
<% @ Include file = "foot. jsp" %>
Note: The filter method is used to set which jsp pages need to be filtered in the web. xml configuration file. For details, see the preceding JSP webpage permission --- "2) filter Filtering
(3) page333.jsp
Use logincheck. jsp for web page permission verification. The Code content is:
<% @ Include file = "head. jsp" %>
I am page333.jsp
<% @ Include file = "foot. jsp" %>
Note: You can directly enter the URL for access without any authentication.
7) logout. jsp
Log out of the session when the user exits.
<%
Session. invalidate ();
Response. sendRedirect ("http://blog.csdn.net/sunboy_2050/article/details/8032693 ");
%>
The running interface of this example is as follows:
1) logon Interface
Userlogin.html
2) JSP page Verification
Perform logon verification before accessing the logincheck. jsp (or LoginFilter. java) page.
3) access the JSP page through verification
Login. jsp (or Login. java) users can access the JSP page after logging on.