java web安全机制使用filter验证session用户和页面缓存问题

java web安全机制使用filter验证session用户和页面缓存问题_舍与得之间 ...

WEB的信息安全隐患之一:

未授权用户通过直接在IE中输入URL直接登录系统

解决办法:

通过配置filter过滤无效用户的连接请求.

WEB的信息安全隐患之二:

合法用户"注销"后,在未关闭浏览器的情况下,点击浏览器"后退"按钮,可从与本地页面缓存中读取数据,绕过了服务端filter过滤.

解决办法:

在必要的页面(包含敏感信息) 设定页面缓存限制.

也可以把上面两步组合在一个,通过同一个filter实现.具体如下:

1.配置filter(web.xml)

......

<filter>
<filter-name>Authentication</filter-name> 
<filter-class>com.mycompany.myweb.management.util.AuthenticationFilter</filter-class> 
<init-param>
<param-name>onError</param-name> 
<param-value>/Logon.do</param-value> 
</init-param>
</filter>
<filter-mapping>
<filter-name>Authentication</filter-name>
<url-pattern>/management/*</url-pattern> 
</filter-mapping>
<filter-mapping>
<filter-name>Authentication</filter-name>
<url-pattern>/Main.do</url-pattern> 
</filter-mapping>

......

AuthenticationFilter过滤器实现类:

package com.mycompany.myweb.management.util;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.struts.Globals;
import org.apache.struts.action.*;

public class AuthenticationFilter implements Filter {//一定要使用Filter接口
private FilterConfig filterConfig;

private String onErrorUrl;

public void init(FilterConfig config) throws ServletException {
filterConfig = config;
nErrorUrl = filterConfig.getInitParameter("onError");
if (onErrorUrl == null || "".equals(onErrorUrl)) {
nErrorUrl = "onError";
}
}

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain next) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
HttpSession httpSession = httpRequest.getSession();
/**
* @ 页面缓存设定
* <br>确保浏览器不缓存页面数据
*/

httpResponse.setHeader("Cache-Control","no-cache");
httpResponse.setHeader("Cache-Control","no-store");
httpResponse.setDateHeader("Expires", 0);
httpResponse.setHeader("Pragma","no-cache");

/**

* @ 过滤未登录用户无效请求
* <br>未登录用户请求跳转到/Logon.do
*/
if (httpSession.getAttribute("ePAccountInfo") == null) {
ActionErrors errors = new ActionErrors();
errors.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("没有登录"));
httpRequest.setAttribute(Globals.ERROR_KEY, errors);
httpRequest.getRequestDispatcher(onErrorUrl).forward(httpRequest,
httpResponse);
} else
next.doFilter(request, response);
}

public void destroy() {
}

}

郑重声明：资讯【java web安全机制使用filter验证session用户和页面缓存问题_舍与得之间 ...】由发布，版权归原作者及其所在单位，其原创性以及文中陈述文字和内容未经(企业库qiyeku.com)证实，请读者仅作参考，并请自行核实相关内容。若本文有侵犯到您的版权，请你提供相关证明及申请并与我们联系（qiyeku # qq.com）或【在线投诉】，我们审核后将会尽快处理。

—— 相关资讯 ——