网页安全性
问题
最近在写一个java web项目,在基本完成登录注册后测试时发现一个致命的bug,通过固定网址竟然跳过登录、注册直接进入主页。经过查询后通过过滤器可以解决该问题
解决步骤
1.配置xml
<filter>
<filter-name>LoginFilter</filter-name>
<filter-class>controller.LoginFilter</filter-class>//该处为filter所在位置
</filter>
<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2.在servlet书写filter代码
public class LoginFilter implements Filter {
/**
*
* Title:doFilter
* Description: 所有请求都走此过滤器来判断用户是否登录
* user: xiaohe
* date: 2019 2019年4月30日
* @param servletRequest
* @param servletResponse
* @param filterChain
* @throws IOException
* @throws ServletException
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@Override
public void doFilter(ServletRequest servletRequest,ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
// 判断是否是http请求
if (!(servletRequest instanceof HttpServletRequest)
|| !(servletResponse instanceof HttpServletResponse)) {
throw new ServletException(
"OncePerRequestFilter just supports HTTP requests");
}
// 获得在下面代码中要用的request,response,session对象
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
HttpSession session = httpRequest.getSession(true);
String[] strs = { "login", "checkUsername", "findPassword","ajax/getEmail","jihuo" ,"helloworld","resetPassword","toFindPassword3","index.jsp","login.jsp","regist.jsp","fogertpassword.jsp","resetPassword.jsp","result.jsp","mobileLogin.jsp","MD5.js","check.js","jquery-1.11.1.min.js","regist.jsp","check.js","smtp.qq.com"}; // 路径中包含这些字符串的,可以不用登录直接访问
StringBuffer url = httpRequest.getRequestURL();
// System.out.println(url);
/**
* 过滤掉根目录
*/
String path = httpRequest.getContextPath();
String basePath=httpRequest.getScheme()+"://"+httpRequest.getServerName()+":"+httpRequest.getServerPort()+path+ "/";
// System.out.println(basePath);
if (basePath.equalsIgnoreCase(url.toString())) {
filterChain.doFilter(servletRequest, servletResponse);
return;
}
// System.out.println(basePath.equalsIgnoreCase(url.toString()));
// 特殊用途的路径可以直接访问
if (strs != null && strs.length > 0) {
for (String str : strs) {
if (url.indexOf(str) >= 0) {
filterChain.doFilter(servletRequest, servletResponse);
// System.out.println(url.indexOf(str));
return;
}
}
}
// 从session中获取用户信息
String loginInfo = (String) session.getAttribute("username");
if (null != loginInfo && !"".equals(loginInfo)) {
// 用户存在,可以访问此地址
filterChain.doFilter(servletRequest, servletResponse);
} else {
// 用户不存在,踢回登录页面
String returnUrl = httpRequest.getContextPath() + "/login.jsp";
httpRequest.setCharacterEncoding("UTF-8");
httpResponse.setContentType("text/html; charset=UTF-8"); // 转码
httpResponse
.getWriter()
.println(
"<script language=\"javascript\">alert(\"您还没有登录,请先登录!\");if(window.opener==null){window.top.location.href=\""
+ returnUrl
+ "\";}else{window.opener.top.location.href=\""
+ returnUrl
+ "\";window.close();}</script>");
return;
}
// 从session中获取用户信息
/* int loginInfo=0;
loginInfo =(int) session.getAttribute("userId");
System.out.println(loginInfo);
if (loginInfo==0 ) {
// 用户不存在,踢回登录页面
System.out.println("in");
String returnUrl = basePath + "login.jsp";
httpRequest.setCharacterEncoding("UTF-8");
httpResponse.setContentType("text/html; charset=UTF-8"); // 转码
httpResponse
.getWriter()
.println(
"<script language=\"javascript\">alert(\"您还没有登录,请先登录!\");if(window.opener==null){window.top.location.href=\""
+ returnUrl
+ "\";}else{window.opener.top.location.href=\""
+ returnUrl
+ "\";window.close();}</script>");
return;
} else {
// 用户存在,可以访问此地址
filterChain.doFilter(servletRequest, servletResponse);
} */
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
@Override
public void destroy() {
}
}