JSP Security issues

JSP project between different JSP assumptions only through hyperlinks to jump, security is too low, can not meet the real-life security requirements!
For increased security. Be able to jump through the servlet, when jumping to further achieve its security, can be placed in the Web-inf directory through the JSP file. This way, security can be improved. But the problem comes along, put in the Web-inf directory, how to access?
One way to achieve this: build another servlet class as a transit point for page jumps! The files that will be used in the Web-inf directory are distinguished by the use of IDs, which are used to access the JSP files directly through the broker and then obtain the ID of the JSP to be interviewed, that is, the corresponding page jumps.

The new Servlet class code such as the following:

 PackageCn.edu.servlet;ImportJava.io.IOException;ImportJavax.servlet.ServletException;ImportJavax.servlet.http.HttpServlet;ImportJavax.servlet.http.HttpServletRequest;ImportJavax.servlet.http.HttpServletResponse; Public  class MNG extends httpservlet {    Private Static Final LongSerialversionuid =1L Public void Doget(HttpServletRequest request, httpservletresponse response)throwsServletexception, IOException {String id = request.getparameter ("id");//The ID of the user-differentiated jump page obtained from the pageSystem.out.println ("Id="+ID);//I use when debugging, and not practical        if(Id.equals ("1") {Request.getrequestdispatcher ("/index.jsp"). Forward (Request,response); }Else if(Id.equals ("2") {Request.getrequestdispatcher ("/web-inf/admin/add.jsp"). Forward (Request,response); }Else if(Id.equals ("3") {Request.getrequestdispatcher ("/web-inf/admin/bisai.jsp"). Forward (Request,response); }Else if(Id.equals ("4") {Request.getrequestdispatcher ("/web-inf/admin/gamema.jsp"). Forward (Request,response); }Else if(Id.equals ("5") {Request.getrequestdispatcher ("/web-inf/admin/manager.jsp"). Forward (Request,response); }Else if(Id.equals ("6") {Request.getrequestdispatcher ("/web-inf/admin/message.jsp"). Forward (Request,response); }Else if(Id.equals ("7") {Request.getrequestdispatcher ("/web-inf/admin/modify.jsp"). Forward (Request,response); }Else if(Id.equals ("8") {Request.getrequestdispatcher ("/web-inf/admin/pk.jsp"). Forward (Request,response); }Else if(Id.equals ("9") {Request.getrequestdispatcher ("/web-inf/admin/result.jsp"). Forward (Request,response); }    }}

The page code for the jump is as follows:

<form Action="Addservlet" method="POST">            <label>Race Number:</label><input type= "text" name= "id" placeholder=" Please enter the contest number "/><br />            <label>Contest Name:</label><input type="text" name= "gamename" placeholder=" Please enter the name of the contest "/><br />            <label>Race Time:</label><input type="text" name="Gametime"  Placeholder="* Format: YYYY.MM.DD"/><br />            <label>Match location:</label><input type="text" name="gameaddress" placeholder ="Please enter the contest location"/><br />            <label>Number limit:</label><input type="text" name= "gamenum" placeholder="* Format: Please fill in the integer "/><br />            <label>Registration deadline:</label><input type="text" name="Deadline"  Placeholder="* Format: YYYY.MM.DD"/><br />            <!--<form action= "" method= "post" ><input type= "submit" value= "join" ></form> <form action= "tennis_game/webroot/web-inf/bisai.jsp" method= "POST" ><input type= "button" value= "Back" > </form>            <button type="Submit" value="Join">Join</button>            <a href="mng?id=3"><button type="button" value="return">Return</button></a>        </form>

Jump through the ID.
There is one more simple way, not to mention that all JSP files are placed below the Web-inf file. Only by the landing page to jump to the target page into the Web-inf file can be, through the landing page to jump the Servlet class through session object sessions to obtain the user's account password, and then on each page start through JavaScript to verify whether to login.

functionChecknull () {if(Document. getElementById ("id"). value==""||Document. getElementById ("id"). value==NULL) {alert ("account cannot be empty!" ");Document. getElementById ("id"). focus ();Document. getElementById ("id"). Select ();return false; }if(Document. getElementById ("Pass"). value==""||Document. getElementById ("Pass"). value==NULL) {alert ("The password cannot be empty!"
");Document. getElementById ("Pass"). focus ();Document. getElementById ("Pass"). Select ();return false; }if(Document. getElementById ("Password"). value!=Document. getElementById ("Password2") (value) {alert ("two times password input inconsistent!" ");Document. getElementById ("Password"). focus ();Document. getElementById ("Password"). Select ();return false; }if(Document. getElementById ("Name"). value==""||Document. getElementById ("Name"). value==NULL) {alert ("The name cannot be empty!" ");Document. getElementById ("Name"). focus ();Document. getElementById ("Name"). Select ();return false; }Else return true;} The Administrator login interface ensures security: <% String Adminid = (string) Session.getattribute ("AdminName");if(adminid==NULL) {%> <script type="Text/javascript"Language="JavaScript"> Alert ("You are not logged in ... ");window.Document. location.href="/tennismatch/welcome"; </script><%}%>

JSP Security issues