如何保护我的 Java Web 应用程序?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9678959/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to secure my java web application?
提问by Reuben Kurian
I have a web application in which when users login they reach the mainjsp.jsppage.
我有一个 Web 应用程序,当用户登录时,他们会到达该mainjsp.jsp页面。
In this page there are few text-box for dates and based on dates and selection from another drop-down, data is submitted. This data is retrieved by a servletand brought back to the mainjsppage.
在此页面中,日期的文本框很少,并且根据日期和从另一个下拉列表中的选择,提交数据。该数据由 a 检索servlet并带回mainjsp页面。
My concern is about security. Now when I copy paste the mainjsp.jsppage's URL and paste it in any browser this page appears as it is. I don't want this to happen. I want the users to login first and hence I want my web application secure.
我关心的是安全问题。现在,当我复制粘贴mainjsp.jsp页面的 URL 并将其粘贴到任何浏览器中时,该页面将按原样显示。我不希望这种情况发生。我希望用户先登录,因此我希望我的 Web 应用程序安全。
I don't have any idea how to do this. Could you please tell me how can I achieve this?
我不知道该怎么做。你能告诉我我怎样才能做到这一点?
Also please tell me how do I achieve this for any of the pages in the web-application. Users should not be able to access any page if they haven't logged in.
另请告诉我如何为 Web 应用程序中的任何页面实现此目的。如果用户尚未登录,他们将无法访问任何页面。
回答by Ramesh PVK
You should have Form based authentication. Here is the snippet which should be added to your web.xml
你应该有基于表单的身份验证。这是应该添加到您的web.xml 中的代码段
<security-constraint>
<web-resource-collection>
<web-resource-name>pagesWitUnrestrictedAccess</web-resource-name>
<description>No Description</description>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<description>No Description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
Some References:
一些参考资料:
回答by Mike Lue
回答by AdrianS
Spring Security 3 is powerful and easy to configure
Spring Security 3 功能强大且易于配置
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html#ns-minimal
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html#ns-minimal
回答by Mazhar
Use sessions. Set a session variable on a login and check that on every page you have to make secure.
使用会话。在登录时设置会话变量,并检查您必须确保安全的每个页面。
回答by Ravi Chhatrala
When user enters credentials and submit it to a login servlet, add the user name or user id in session. Check the session attribute in application's header (so on every page) that is user name or user id exist in session? If yes then redirect it to requested page otherwise redirect user to login.jsp. for example:
当用户输入凭据并将其提交给登录 servlet 时,在会话中添加用户名或用户 ID。检查应用程序标题中的会话属性(在每个页面上),即会话中存在的用户名或用户 ID?如果是,则将其重定向到请求的页面,否则将用户重定向到 login.jsp。例如:
String var= null;
try {
var= (String) session.getAttribute("user_name_session");
if (var== null) {
response.sendRedirect("/Login.jsp");
return;
}
}
catch (Exception e) {
System.out.println(e);
}
You can modify the snippet as per your requirements, this is the simplest way for preventing user to go on any page via copying the link into another browser.
您可以根据自己的要求修改代码段,这是通过将链接复制到另一个浏览器来防止用户进入任何页面的最简单方法。
回答by Karan
this really best way to convert HTTP request into HTTPS request
这是将 HTTP 请求转换为 HTTPS 请求的最佳方式
