JSP Security issues

JSP project between different JSP if only through hyperlinks to jump, security is too low, can not meet the real-life security requirements!
In order to improve security, you can jump through the servlet, when jumping to further achieve its security, can be placed in the Web-inf folder through the JSP file, so that security can be improved, but the problem accompanies, put in the Web-inf folder, how to access?
One way to achieve this: build another servlet class as a transit point for page jumps! The need to use the files placed in the Web-inf folder by using the ID to differentiate, when the need to access these JSP files directly through the broker and then get the ID of the JSP to access, that is, you can make the corresponding page jump!

The new Servlet class code is as follows:

 PackageCn.edu.servlet;ImportJava.io.IOException;ImportJavax.servlet.ServletException;ImportJavax.servlet.http.HttpServlet;ImportJavax.servlet.http.HttpServletRequest;ImportJavax.servlet.http.HttpServletResponse; Public  class MNG extends httpservlet {    Private Static Final LongSerialversionuid =1L Public void Doget(HttpServletRequest request, httpservletresponse response)throwsServletexception, IOException {String id = request.getparameter ("id");//The ID of the user-differentiated jump page obtained from the pageSystem.out.println ("Id="+ID);//I use when debugging, and no use        if(Id.equals ("1") {Request.getrequestdispatcher ("/index.jsp"). Forward (Request,response); }Else if(Id.equals ("2") {Request.getrequestdispatcher ("/web-inf/admin/add.jsp"). Forward (Request,response); }Else if(Id.equals ("3") {Request.getrequestdispatcher ("/web-inf/admin/bisai.jsp"). Forward (Request,response); }Else if(Id.equals ("4") {Request.getrequestdispatcher ("/web-inf/admin/gamema.jsp"). Forward (Request,response); }Else if(Id.equals ("5") {Request.getrequestdispatcher ("/web-inf/admin/manager.jsp"). Forward (Request,response); }Else if(Id.equals ("6") {Request.getrequestdispatcher ("/web-inf/admin/message.jsp"). Forward (Request,response); }Else if(Id.equals ("7") {Request.getrequestdispatcher ("/web-inf/admin/modify.jsp"). Forward (Request,response); }Else if(Id.equals ("8") {Request.getrequestdispatcher ("/web-inf/admin/pk.jsp"). Forward (Request,response); }Else if(Id.equals ("9") {Request.getrequestdispatcher ("/web-inf/admin/result.jsp"). Forward (Request,response); }    }}

The page code for the jump is as follows:

<form Action="Addservlet" method="POST">            <label>Race Number:</label><input type= "text" name= "id" placeholder=" Please enter the contest number "/><br />            <label>Contest Name:</label><input type="text" name= "gamename" placeholder=" Please enter the name of the contest "/><br />            <label>Race Time:</label><input type="text" name="Gametime"  Placeholder="* Format: YYYY.MM.DD"/><br />            <label>Match location:</label><input type="text" name="gameaddress" placeholder ="Please enter the contest location"/><br />            <label>Number limit:</label><input type="text" name= "gamenum" placeholder="* Format: Please fill in the integer "/><br />            <label>Registration deadline:</label><input type="text" name="Deadline"  Placeholder="* Format: YYYY.MM.DD"/><br />            <!--<form action= "" method= "post" ><input type= "Submit" value= "Add" ></form> <form action= "tennis_game/webroot/web-inf/bisai.jsp" method= "POST" ><input type= "button" value= "Back" > </form>            <button type="Submit" value="Add">Add to</button>            <a href="mng?id=3"><button type="button" value="return">Return</button></a>        </form>

Jump through the ID!
Another method is relatively simple, not to mention all the JSP files are all placed under the Web-inf file, just by the landing page to jump to the target page into the Web-inf file on the line, through the landing page to jump The Servlet class obtains the user's account password through Session object sessions and then, at the beginning of each page, verifies whether to log in by using JavaScript.

functionChecknull () {if(Document. getElementById ("id"). value==""||Document. getElementById ("id"). value==NULL) {alert ("account cannot be empty!" ");Document. getElementById ("id"). focus ();Document. getElementById ("id"). Select ();return false; }if(Document. getElementById ("Pass"). value==""||Document. getElementById ("Pass"). value==NULL) {alert ("The password cannot be empty!" ");Document. getElementById ("Pass"). focus ();Document. getElementById ("Pass"). Select ();return false; }if(Document. getElementById ("Password"). value!=Document. getElementById ("Password2") (value) {alert ("two times password input inconsistent!" ");Document. getElementById ("Password"). focus ();Document. getElementById ("Password"). Select ();return false; }if(Document. getElementById ("Name"). value==""||Document. getElementById ("Name"). value==NULL) {alert ("The name cannot be empty!" ");Document. getElementById ("Name"). focus ();Document. getElementById ("Name"). Select ();return false; }Else return true;} The Administrator login interface ensures security: <% String Adminid = (string) Session.getattribute ("AdminName");if(adminid==NULL) {%> <script type="Text/javascript"Language="JavaScript"> Alert ("You are not logged in ... ");window.Document. location.href="/tennismatch/welcome"; </script><%}%>

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

JSP Security issues