【Head First Servlets and JSP】笔记 27: web 应用安全

 

  • 典型的安全问题:假冒者、窃听者、非法升级者
  • 认证方式: Base64 、摘要认证 、客户端证书、表单认证,重点熟悉摘要算法( HASH 、 MD5 等)
  • 安全机制:授权、认证、数据完整性、机密性
  • 80 端口、 443 端口
  • 通过 HTTP 、 HTTPS 传输数据的区别, SSL 等概念
  • 重放攻击、 SQL 注入等 

【参考】

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">

    <!-- Define servlets that are included in the web application -->

    <servlet>
        <servlet-name>jack</servlet-name>
        <servlet-class>sample.Jack</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>dog</servlet-name>
        <servlet-class>sample.Dog</servlet-class>
        <load-on-startup>2</load-on-startup>
        <security-role-ref>
            <role-name>VIP</role-name>
            <role-link>Member</role-link>
        </security-role-ref>
    </servlet>


    <servlet-mapping>
        <servlet-name>jack</servlet-name>
        <url-pattern>/abc/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>dog</servlet-name>
        <url-pattern>/abc/3</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>dog</servlet-name>
        <url-pattern>*.do</url-pattern>
    </servlet-mapping>


    <error-page>
        <exception-type>java.lang.Throwable</exception-type>
        <location>/WEB-INF/jsp/exception/common-exception.jsp</location>
    </error-page>
    <error-page>
        <error-code>404</error-code>
        <location>/WEB-INF/jsp/exception/404-exception.jsp</location>
    </error-page>

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>abc/3</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

    <security-role>
        <role-name>Admin</role-name>
    </security-role>
    <security-role>
        <role-name>Member</role-name>
    </security-role>
    <security-role>
        <role-name>Guest</role-name>
    </security-role>

    <!--<login-config>-->
        <!--<auth-method>BASIC 明文认证</auth-method>-->
    <!--</login-config>-->
    <!--<login-config>-->
        <!--<auth-method>DIGEST 摘要认证</auth-method>-->
    <!--</login-config>-->
    <!--<login-config>-->
        <!--<auth-method>CLIENT-CERT 客户端证书</auth-method>-->
    <!--</login-config>-->
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/loginPage.jsp</form-login-page>
            <form-error-page>/loginError.jsp</form-error-page>
        </form-login-config>
    </login-config>

    <security-constraint>

        <web-resource-collection>
            <web-resource-name>UpdateRecipe</web-resource-name>
            <url-pattern>/abc/3</url-pattern>
            <http-method>GET</http-method>
        </web-resource-collection>

        <auth-constraint>
            <role-name>Admin</role-name>
            <role-name>Member</role-name>
        </auth-constraint>

        <!--<user-data-constraint>-->
            <!--<transport-guarantee>CONFIDENTIAL</transport-guarantee>-->
        <!--</user-data-constraint>-->
        <!-- 对资源进行传输保证(不至于明文传输密码)
        tomcat 需要开启 8443 端口,并且需要一个证书,涉及到 HTTPS、SSL 等安全协议 -->
    </security-constraint>

</web-app>

 loginPage.jsp :

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>Authorization</title>
</head>
<body>
    <form method="post" action="j_security_check">
        <p><input type="text" name="j_username" /></p>
        <p><input type="secret" name="j_password" /></p>
        <p><input type="submit" value="Enter"></p>
    </form>
</body>
</html>

 Servlet :

package sample;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

public class Dog extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        resp.setContentType("text/html");
        PrintWriter out = resp.getWriter();
        if (req.isUserInRole("VIP")) { // 【授权】程序式授权,对应的是在 web.xml 中的声明式授权
            out.println("Only VIP can see.");
            out.println(req.getRemoteUser()); // 【认证】确认用户身份,打印出来是 username
        }
        out.println("he is not jack.");
    }
}

 

posted @ 2017-08-08 16:28  xkfx  阅读(309)  评论(0编辑  收藏  举报