JSP training (11) -- security control in Java Web

Source: Internet
Author: User

Objective: l to understand the general process after logon; L to add security control for each page; L to share Verification Code; L to use a filter to verify permissions; l ability to verify the local content of the file; l master the basic implementation method of the security verification code; l enhance the security through exception handling. Main Content: l modify the previous logon function to process the logon of the Administrator and common users respectively; l add control for the pages accessible by the Administrator; l share the control code on each page, use special files and call them as needed; l use filters to reduce repeated Verification Code; l use standard tag libraries to implement security control of partial page information; l describes the basic implementation of the security verification code; 1. Improve the logon FunctionUnder normal circumstances, after successful logon, the Administrator's default work interface is displayed. After logon, a common user jumps to the default work interface of a common user. After a user fails to log on, the Administrator jumps to the logon interface to log on again. To complete this function, you need to write the administrator interface and common user interface. The file corresponding to the administrator interface is Manager. JSP, the Code is as follows: ------------------------- Code Manager. JSP ---------------------------------- <% @ page contenttype = "text/html; charset = gb2312" %> the Administrator operation interface refers to the commonuser file corresponding to the common user interface. JSP, the Code is as follows: ------------------------- code commonuser. JSP login <% @ page contenttype = "text/html; charset = gb2312" %> on the common user interface, modify the login servlet. The modified code is as follows: ------------------------- the code loginprocess. java ---------------------------------- package servlet; import JavaBean. user; import Java. io. ioexception; import Java. io. printwriter; import javax. servlet. requestdispatcher; import javax. servlet. servletexception; import javax. servlet. HTTP. httpservlet; import javax. servlet. HTTP. httpservletrequest; import javax. servlet. HTTP. httpservletresponse; import javax. servlet. HTTP. httpsession; public class loginprocess extends httpservlet {public void doget (httpservletrequest request, httpservletresponse response) throws servletexception, ioexception {dopost (request, response);} public void dopost (httpservletrequest request, httpservletresponse response) throws servletexception, ioexception {// obtain information string username = request. getparameter ("username"); string userpass = request. getparameter ("userpass"); // call JavaBean user = new user (); User = user. finduserbyname (username); string forward; If (user = NULL) {forward = "failure. JSP ";} else if (user. getuserpass (). equals (userpass) {If (user. getusertype (). equals ("1") {forward = "Manager. JSP ";} else {forward =" commonuser. JSP ";}} else {forward =" failure. JSP ";} requestdispatcher RD = request. getrequestdispatcher (forward); Rd. forward (request, response) ;}} response );}}-------------------------------------------------------------------------------------------- 2. Add Security Control for each interfaceAfter successfully logging on to the instance above, the administrator interface or common user interface will be displayed. However, if you enter the administrator interface directly, the logon interface will be skipped. For example, you can directly enter http: // 127.0.0.1: 8080/CH11/manager. jsp. To solve this problem, security control should be added on every interface with security restrictions. Two tasks need to be completed: l write user information to the session after logon; l obtain information from the session on each page for verification; after logging on, write user information to the session. The modified loginprocess is shown below. java code: ----------------------------- code loginprocess. java ---------------------------------- package servlet; import JavaBean. user; import Java. io. ioexception; import Java. io. printwriter; import javax. servlet. requestdispatcher; import javax. servlet. servletexception; import javax. servlet. HTTP. httpservlet; I Mport javax. servlet. HTTP. httpservletrequest; import javax. servlet. HTTP. httpservletresponse; import javax. servlet. HTTP. httpsession; public class loginprocess extends httpservlet {public void doget (httpservletrequest request, httpservletresponse response) throws servletexception, ioexception {dopost (request, response);} public void dopost (httpservletrequest request, httpservletresponse response) THR Ows servletexception, ioexception {// obtain information string username = request. getparameter ("username"); string userpass = request. getparameter ("userpass"); // call JavaBean user = new user (); User = user. finduserbyname (username); // obtain the session object httpsession session = request. getsession (true); string forward; If (user = NULL) {forward = "failure. JSP ";} else if (user. getuserpass (). equals (userpass) {If (user. get Usertype (). equals ("1") {// store the information session in the session object. setattribute ("usertype", "1"); Forward = "Manager. JSP ";} else {session. setattribute ("usertype", "0"); Forward = "commonuser. JSP ";}} else {forward =" failure. JSP ";} requestdispatcher RD = request. getrequestdispatcher (forward); Rd. forward (request, response) ;}------------------------------------------ end ---------------------------------------------------- ----- Take commonuser. JSP is used as an example to describe how to implement security control in each file. The following is the modified Code: ------------------------- code commonuser. JSP -------------------------------- <% @ page contenttype = "text/html; charset = gb2312" %> <% @ taglib prefix = "C" uri = "http://java.sun.com/jsp/jstl/core" %> <C: if test = "$ {usertype! =/"0/"} "> <JSP: Forward page =" login. JSP "/> </C: If> normal user interface ----------------------------------------- ends the login process. If you do not log on, You can directly access commonuser. JSP will jump to the login interface. 3. Use special documents for verificationBecause many pages need to write verification code, you can share the code in a single file, and you need to call the shared file. The following uses commonuser. jsp as an example to describe how to share verification code. Use a dedicated file to store the shared code: --------------------------- code check. JSP ---------------------------------- <% @ taglib prefix = "C" uri = "http://java.sun.com/jsp/jstl/core" %> <C: If test = "$ {usertype! =/"0/"} "> <JSP: Forward page =" login. JSP "/> </C: If> --------------------------------------- end of the token to import this specialized file into the file to be verified. With commonuser. JSP: ------------------------------- code commonuser. JSP ---------------------------------- <% @ page contenttype = "text/html; charset = gb2312" %> <% @ include file = "check. JSP "%> common user interface --------------------------------------- ends the use of the include command to include the target file. When JSP is converted to a Java file, the code of the target file is copied to the current file. Run the test again and the results are the same. 4. Use the filter to verify the permissionPut files with the same permission requirements in the same folder to filter folder access in a unified manner. Compile the servlet for filtering. The Code is as follows: --------------------------- code commoncheck. java ---------------------------------- package servlet; import Java. io. ioexception; import javax. servlet. filter; import javax. servlet. filterchain; import javax. servlet. filterconfig; import javax. servlet. servletexception; import javax. servlet. servletrequest; import javax. servlet. servletresponse; import javax. servlet. HTTP. httpservlet; import Java X. servlet. HTTP. httpsession; import javax. servlet. HTTP. httpservletrequest; import javax. servlet. HTTP. extends; public class commoncheck extends httpservlet implements filter {public void dofilter (servletrequest arg0, servletresponse arg1, filterchain arg2) throws ioexception, servletexception {// get session httpsession session = (httpservletrequest) arg0 ). getsession (true); // obtain the user type strin. G usertype = (string) session. getattribute ("usertype"); // determines if (usertype = NULL | usertype. equals ("1") {(httpservletresponse) arg1 ). sendredirect (". /.. /login. JSP ");} // continue to call other filters try {arg2.dofilter (arg0, arg1);} catch (exception e) {}} public void Init (filterconfig arg0) throws servletexception {// todo auto-generated method stub} ---------------------------------------------- end ---------------- ---------------------------------------- Configure the filter. The configuration of the filter is very similar to that of the servlet. add the following code to XML: <filter> <filter-Name> commoncheck </filter-Name> <filter-class> servlet. commoncheck </filter-class> </filter> <filter-mapping> <filter-Name> commoncheck </filter-Name> <URL-pattern>/commonuser/* </URL -Pattern> </filter-mapping> Use/commonuser/* in URL-pattern /*, in this way, as long as you access the commonuser folder, the filter will be accessed. If the user does not log on, the target file will not be accessible. Test: To test the function, create a folder named commonuser and copy commonuser. jsp to the commonuser file. The test procedure is as follows: Access http: // 127.0.0.1: 8080/CH11/commonuser. JSP, you will find that the login interface is displayed, that is, because the file in commonuser is accessed because the user has not logged on, the filter is processed, and then jumps to the login interface. Enter the correct user name and password on the logon page, and then enter the above address in the address bar again. The content of the commonuser. jsp file is displayed. Indicates that the verification is successful. 5. Control the security of partial file contentThis section describes security control at the file level. Sometimes, you need to perform security control on some content in the file, such as an item list interface. If the current user is an administrator, the management function can be completed in it, but not for common users. This requires local control. Local control is mainly implemented through the <C: If> label in the standard tag library. 6. Basic implementation of security verification CodesMany websites adopt many security measures to enhance website security. For example, SSL access, ushield and traffic control card (ICBC), and information encryption. Security verification code is a popular and effective security measure. It can effectively solve the problem of cracking passwords by traversing all possible combinations. The basic working principle is as follows: each time the client accesses the server, the server generates a verification code, which is displayed to the user in a graphical form, and the backup is retained on the server, when you submit the information, you must submit the verification code to the server at the same time. After the server receives the verification code, it will compare it with the server-side verification code. If the verification code is the same, it will be processed. If they are different, ask the user to re-enter them. Every time the password changes, if all users want to crack the password, they must first cope with the changed security verification code, which increases the difficulty of cracking. 7. Enhanced security through Exception HandlingSometimes, users' attacks are based on the servers used by the website, because many servers have their own bugs. If the exception cannot be effectively handled, the error information is displayed on the client. The error information allows the customer to find the server version information, this provides convenience for malicious attacks. For example, enter http: // 127.0.0.1: 8080/CH11/ABC. JSP and ABC. JSP is a non-existent file. If it is not processed at this time, the server information will be displayed on the client. If you can handle various exceptions and prevent users from seeing the technologies and servers you are using, the customer will be more difficult to attack. Once a student completed a website using JSP technology. After configuration, when the client accesses the website, all the file suffixes used are PHP, it makes people feel like a website written using PHP Technology.

 

Reference material: Basic tutorial on Java Web Programming

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.