【Head First Servlets and JSP】笔记 27: web 应用安全

时间:2022-05-17 21:06:43

【须知】

  • 典型的安全问题:假冒者、窃听者、非法升级者
  • 认证方式: Base64 、摘要认证 、客户端证书、表单认证,重点熟悉摘要算法( HASH 、 MD5 等)
  • 安全机制:授权、认证、数据完整性、机密性

【了解】

  • 80 端口、 443 端口
  • HTTP 与 HTTPS 传输数据的区别, SSL 等概念
  • 重放攻击、 SQL 注入等 

【参考】

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi
="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation
="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version
="3.1">

<!-- Define servlets that are included in the web application -->

<servlet>
<servlet-name>jack</servlet-name>
<servlet-class>sample.Jack</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>dog</servlet-name>
<servlet-class>sample.Dog</servlet-class>
<load-on-startup>2</load-on-startup>
<security-role-ref>
<role-name>VIP</role-name>
<role-link>Member</role-link>
</security-role-ref>
</servlet>


<servlet-mapping>
<servlet-name>jack</servlet-name>
<url-pattern>/abc/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dog</servlet-name>
<url-pattern>/abc/3</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dog</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>


<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/WEB-INF/jsp/exception/common-exception.jsp</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/jsp/exception/404-exception.jsp</location>
</error-page>

<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>abc/3</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>

<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>Member</role-name>
</security-role>
<security-role>
<role-name>Guest</role-name>
</security-role>

<!--<login-config>-->
<!--<auth-method>BASIC 明文认证</auth-method>-->
<!--</login-config>-->
<!--<login-config>-->
<!--<auth-method>DIGEST 摘要认证</auth-method>-->
<!--</login-config>-->
<!--<login-config>-->
<!--<auth-method>CLIENT-CERT 客户端证书</auth-method>-->
<!--</login-config>-->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginPage.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>

<security-constraint>

<web-resource-collection>
<web-resource-name>UpdateRecipe</web-resource-name>
<url-pattern>/abc/3</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name>
<role-name>Member</role-name>
</auth-constraint>

<!--<user-data-constraint>-->
<!--<transport-guarantee>CONFIDENTIAL</transport-guarantee>-->
<!--</user-data-constraint>-->
<!-- 对资源进行传输保证(不至于明文传输密码)
tomcat 需要开启 8443 端口,并且需要一个证书,涉及到 HTTPS、SSL 等安全协议
-->
</security-constraint>

</web-app>

 loginPage.jsp :

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Authorization</title>
</head>
<body>
<form method="post" action="j_security_check">
<p><input type="text" name="j_username" /></p>
<p><input type="secret" name="j_password" /></p>
<p><input type="submit" value="Enter"></p>
</form>
</body>
</html>

 Servlet :

package sample;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

public class Dog extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setContentType(
"text/html");
PrintWriter out
= resp.getWriter();
if (req.isUserInRole("VIP")) { // 【授权】程序式授权,对应的是在 web.xml 中的声明式授权
out.println("Only VIP can see.");
out.println(req.getRemoteUser());
// 【认证】确认用户身份,打印出来是 username
}
out.println(
"he is not jack.");
}
}