zoukankan      html  css  js  c++  java
  • 【Head First Servlets and JSP】笔记 27: web 应用安全

    • 典型的安全问题:假冒者、窃听者、非法升级者
    • 认证方式: Base64 、摘要认证 、客户端证书、表单认证,重点熟悉摘要算法( HASH 、 MD5 等)
    • 安全机制:授权、认证、数据完整性、机密性
    • 80 端口、 443 端口
    • 通过 HTTP 、 HTTPS 传输数据的区别, SSL 等概念
    • 重放攻击、 SQL 注入等 

    【参考】

    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
             version="3.1">
    
        <!-- Define servlets that are included in the web application -->
    
        <servlet>
            <servlet-name>jack</servlet-name>
            <servlet-class>sample.Jack</servlet-class>
            <load-on-startup>1</load-on-startup>
        </servlet>
        <servlet>
            <servlet-name>dog</servlet-name>
            <servlet-class>sample.Dog</servlet-class>
            <load-on-startup>2</load-on-startup>
            <security-role-ref>
                <role-name>VIP</role-name>
                <role-link>Member</role-link>
            </security-role-ref>
        </servlet>
    
    
        <servlet-mapping>
            <servlet-name>jack</servlet-name>
            <url-pattern>/abc/*</url-pattern>
        </servlet-mapping>
        <servlet-mapping>
            <servlet-name>dog</servlet-name>
            <url-pattern>/abc/3</url-pattern>
        </servlet-mapping>
        <servlet-mapping>
            <servlet-name>dog</servlet-name>
            <url-pattern>*.do</url-pattern>
        </servlet-mapping>
    
    
        <error-page>
            <exception-type>java.lang.Throwable</exception-type>
            <location>/WEB-INF/jsp/exception/common-exception.jsp</location>
        </error-page>
        <error-page>
            <error-code>404</error-code>
            <location>/WEB-INF/jsp/exception/404-exception.jsp</location>
        </error-page>
    
        <welcome-file-list>
            <welcome-file>index.html</welcome-file>
            <welcome-file>abc/3</welcome-file>
            <welcome-file>index.jsp</welcome-file>
        </welcome-file-list>
    
        <security-role>
            <role-name>Admin</role-name>
        </security-role>
        <security-role>
            <role-name>Member</role-name>
        </security-role>
        <security-role>
            <role-name>Guest</role-name>
        </security-role>
    
        <!--<login-config>-->
            <!--<auth-method>BASIC 明文认证</auth-method>-->
        <!--</login-config>-->
        <!--<login-config>-->
            <!--<auth-method>DIGEST 摘要认证</auth-method>-->
        <!--</login-config>-->
        <!--<login-config>-->
            <!--<auth-method>CLIENT-CERT 客户端证书</auth-method>-->
        <!--</login-config>-->
        <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                <form-login-page>/loginPage.jsp</form-login-page>
                <form-error-page>/loginError.jsp</form-error-page>
            </form-login-config>
        </login-config>
    
        <security-constraint>
    
            <web-resource-collection>
                <web-resource-name>UpdateRecipe</web-resource-name>
                <url-pattern>/abc/3</url-pattern>
                <http-method>GET</http-method>
            </web-resource-collection>
    
            <auth-constraint>
                <role-name>Admin</role-name>
                <role-name>Member</role-name>
            </auth-constraint>
    
            <!--<user-data-constraint>-->
                <!--<transport-guarantee>CONFIDENTIAL</transport-guarantee>-->
            <!--</user-data-constraint>-->
            <!-- 对资源进行传输保证(不至于明文传输密码)
            tomcat 需要开启 8443 端口,并且需要一个证书,涉及到 HTTPS、SSL 等安全协议 -->
        </security-constraint>
    
    </web-app>

     loginPage.jsp :

    <%@ page contentType="text/html;charset=UTF-8" language="java" %>
    <html>
    <head>
        <title>Authorization</title>
    </head>
    <body>
        <form method="post" action="j_security_check">
            <p><input type="text" name="j_username" /></p>
            <p><input type="secret" name="j_password" /></p>
            <p><input type="submit" value="Enter"></p>
        </form>
    </body>
    </html>

     Servlet :

    package sample;
    
    import javax.servlet.ServletException;
    import javax.servlet.http.HttpServlet;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import java.io.IOException;
    import java.io.PrintWriter;
    
    public class Dog extends HttpServlet {
        @Override
        protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
            resp.setContentType("text/html");
            PrintWriter out = resp.getWriter();
            if (req.isUserInRole("VIP")) { // 【授权】程序式授权,对应的是在 web.xml 中的声明式授权
                out.println("Only VIP can see.");
                out.println(req.getRemoteUser()); // 【认证】确认用户身份,打印出来是 username
            }
            out.println("he is not jack.");
        }
    }
  • 相关阅读:
    ngx-bootstrap使用04 carousel组件
    ngx-bootstrap使用03 Alerts组件、利用Object.assign复制对象
    ngx-bootstrap使用02 Accordion组件的使用
    ngx-bootstrap使用01 安装ngx-bootstrap和bootstrap及其使用、外部样式引入
    SpringBoot11 读取properties文件、发送邮件
    SpringBoot10 整合JSP
    SpringBoot09 自定义servlet、注册自定义的servlet、过滤器、监听器、拦截器、切面、webmvcconfigureradapter过时问题
    红帽系统制作yum本地源
    利用python数据分析panda学习笔记之基本功能
    利用python数据分析panda学习笔记之DataFrame
  • 原文地址:https://www.cnblogs.com/xkxf/p/7307415.html
Copyright © 2011-2022 走看看