urlrewrite-------解决大型WEB系统URL暴露安全问题

 

     未经过改写的WEB系统的URL可以泄漏工程文件的目录，为了保证WEB系统的安全，免遭黑客的攻击，我们通常要对URL进行重写，目的就是使访问者看不到真实的路径，从而可以减少黑客攻击的可能性，下面给出一个简单的登陆例子,将http://localhost:8080/urlrewrite/login.do改写为http://localhost:8080/urlrewrite/mylogin/

1.首先去CSDN下载频道搜索urlrewrite-2.6.0.jar这个文件，然后将其放在工程目录的WEB-INFO/LIB下。

2.配置web.xml

 

<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.5" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <servlet> <servlet-name>action</servlet-name> <servlet-class>org.apache.struts.action.ActionServlet</servlet-class> <init-param> <param-name>config</param-name> <param-value>/WEB-INF/struts-config.xml</param-value> </init-param> <init-param> <param-name>debug</param-name> <param-value>3</param-value> </init-param> <init-param> <param-name>detail</param-name> <param-value>3</param-value> </init-param> <load-on-startup>0</load-on-startup> </servlet> <servlet-mapping> <servlet-name>action</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> <filter> <filter-name>UrlRewriteFilter</filter-name> <filter-class> org.tuckey.web.filters.urlrewrite.UrlRewriteFilter </filter-class> <init-param> <param-name>logLevel</param-name> <param-value>WARN</param-value> </init-param> </filter> <filter-mapping> <filter-name>UrlRewriteFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping> <welcome-file-list> <welcome-file>login.jsp</welcome-file> </welcome-file-list> </web-app>

 3.编写页面login.jsp.success.jsp以及failure.jsp

login.jsp <%@ page language="java" import="java.util.*" pageEncoding="utf-8"%> <%@ taglib uri="http://java.sun.com/jsp/jstl/core"prefix="c"%> <% String path = request.getContextPath(); String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; %> <html> <body> <form action="<c:url value='/login.do'/>" method="post"> <center> 用户名:<input type="text" name="username"/> 密 码:<input type="password" name="password"/> <input type="submit"value="提交"/> </center> </form> </body> </html> success.jsp <%@ page language="java" import="java.util.*" pageEncoding="utf-8"%> <html> <body> success! </body> </html> failure.jsp <%@ page language="java" import="java.util.*" pageEncoding="utf-8"%> <html> <body> failure! </body> </html>

4.编写action处理类及其配置struts-config.properties

LoginAction.java package com.zxc.struts.action; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.struts.action.Action; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; public class LoginAction extends Action { public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) { // TODO Auto-generated method stub String username=request.getParameter("username")==null?"":request.getParameter("username"); String password=request.getParameter("password")==null?"":request.getParameter("password"); if(username.equals("java")&&password.equals("java")) return mapping.findForward("success"); else return mapping.findForward("failure"); } } struts-config.properties <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE struts-config PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 1.3//EN" "http://struts.apache.org/dtds/struts-config_1_3.dtd"> <struts-config> <form-beans /> <global-exceptions /> <global-forwards /> <action-mappings > <action path="/login" type="com.zxc.struts.action.LoginAction" cancellable="true" > <forward name="success" path="/success.jsp"/> <forward name="failure" path="/failure.jsp"/> </action> </action-mappings> <message-resources parameter="com.zxc.struts.ApplicationResources" /> </struts-config>

5.配置urlrewrite.xml文件，注意将其放到与web.xml同级目录中，并且配置的时候正向和逆向都得配置

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 2.6//EN" "http://tuckey.org/res/dtds/urlrewrite2.6.dtd"> <!-- Configuration file for UrlRewriteFilter http://tuckey.org/urlrewrite/ --> <urlrewrite> <!-- 正向 --> <rule> <note> Login </note> <from>^/mylogin[/]?$</from> <to>/login.do</to> </rule> <!-- 逆向 --> <!-- Copy of invoice order --> <outbound-rule> <note>Login</note> <from>/login.do</from> <to>/mylogin/</to> </outbound-rule> </urlrewrite>

6.运行结果

输入用户名和密码之后，你会发现浏览器的地址变成了http://localhost:8080/urlrewrite/mylogin/