【Head First Servlets and JSP】笔记 27: web 应用安全
- 典型的安全问题:假冒者、窃听者、非法升级者
- 认证方式: Base64 、摘要认证 、客户端证书、表单认证,重点熟悉摘要算法( HASH 、 MD5 等)
- 安全机制:授权、认证、数据完整性、机密性
- 80 端口、 443 端口
- 通过 HTTP 、 HTTPS 传输数据的区别, SSL 等概念
- 重放攻击、 SQL 注入等
【参考】
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1"> <!-- Define servlets that are included in the web application --> <servlet> <servlet-name>jack</servlet-name> <servlet-class>sample.Jack</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet> <servlet-name>dog</servlet-name> <servlet-class>sample.Dog</servlet-class> <load-on-startup>2</load-on-startup> <security-role-ref> <role-name>VIP</role-name> <role-link>Member</role-link> </security-role-ref> </servlet> <servlet-mapping> <servlet-name>jack</servlet-name> <url-pattern>/abc/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>dog</servlet-name> <url-pattern>/abc/3</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>dog</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/WEB-INF/jsp/exception/common-exception.jsp</location> </error-page> <error-page> <error-code>404</error-code> <location>/WEB-INF/jsp/exception/404-exception.jsp</location> </error-page> <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>abc/3</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <security-role> <role-name>Admin</role-name> </security-role> <security-role> <role-name>Member</role-name> </security-role> <security-role> <role-name>Guest</role-name> </security-role> <!--<login-config>--> <!--<auth-method>BASIC 明文认证</auth-method>--> <!--</login-config>--> <!--<login-config>--> <!--<auth-method>DIGEST 摘要认证</auth-method>--> <!--</login-config>--> <!--<login-config>--> <!--<auth-method>CLIENT-CERT 客户端证书</auth-method>--> <!--</login-config>--> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/loginPage.jsp</form-login-page> <form-error-page>/loginError.jsp</form-error-page> </form-login-config> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>UpdateRecipe</web-resource-name> <url-pattern>/abc/3</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> <role-name>Member</role-name> </auth-constraint> <!--<user-data-constraint>--> <!--<transport-guarantee>CONFIDENTIAL</transport-guarantee>--> <!--</user-data-constraint>--> <!-- 对资源进行传输保证(不至于明文传输密码) tomcat 需要开启 8443 端口,并且需要一个证书,涉及到 HTTPS、SSL 等安全协议 --> </security-constraint> </web-app>
loginPage.jsp :
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head> <title>Authorization</title> </head> <body> <form method="post" action="j_security_check"> <p><input type="text" name="j_username" /></p> <p><input type="secret" name="j_password" /></p> <p><input type="submit" value="Enter"></p> </form> </body> </html>
Servlet :
package sample; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; public class Dog extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { resp.setContentType("text/html"); PrintWriter out = resp.getWriter(); if (req.isUserInRole("VIP")) { // 【授权】程序式授权,对应的是在 web.xml 中的声明式授权 out.println("Only VIP can see."); out.println(req.getRemoteUser()); // 【认证】确认用户身份,打印出来是 username } out.println("he is not jack."); } }