java 如何禁用对jsp页面的直接访问?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27548076/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to disable direct access to jsp pages?
提问by Digicom
I have a jsp page in java project, and i use from below code for hidden jsp extension from url, but also load my page with jsp extension in url. how to prevent of this? my code:
我在java项目中有一个jsp页面,我从下面的代码中使用来自url的隐藏jsp扩展名,但也在url中使用jsp扩展名加载我的页面。如何防止这种情况?我的代码:
<servlet>
<servlet-name>myTest</servlet-name>
<jsp-file>/testing.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>myTest</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
and url testing is : localhost/testing.jsp and my testing page is access.
和 url 测试是:localhost/testing.jsp 和我的测试页面是访问。
回答by Gas
For a quick solution, just put your JSP pages to the WEB-INFfolder (then they will not be directly accessible) and define them like this:
对于快速解决方案,只需将您的 JSP 页面放入WEB-INF文件夹(然后它们将无法直接访问)并像这样定义它们:
<servlet>
<description>
</description>
<display-name>hidden</display-name>
<servlet-name>hidden</servlet-name>
<jsp-file>/WEB-INF/hidden.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>hidden</servlet-name>
<url-pattern>/hidden</url-pattern>
</servlet-mapping>
but you should consider using frameworks to do it, like Struts2 or Spring.
但是你应该考虑使用框架来做到这一点,比如 Struts2 或 Spring。
回答by Sas
You could also use a filter and deny access to jsps.
您还可以使用过滤器并拒绝对 jsps 的访问。
<filter>
<filter-name>JspFilter</filter-name>
<filter-class>my.JspFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>JspFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
Fitler:
过滤器:
public class JspFilter implements Filter{
public void doFilter(ServletRequest request, ServletReponse response,
FilterChain chain) {
HttpServletRequest req= (HttpServletRequest) request;
req.getRequestDispather("error.jsp).forward(request,response);
}
}
回答by craigwor
I would map the url to the servlet and then return the jsp from the servlet. eg:
我会将 url 映射到 servlet,然后从 servlet 返回 jsp。例如:
In web xml:
在 web xml 中:
<servlet>
<servlet-name>testServlet</servlet-name>
<servlet-class>com.yourpackage.testServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>testServlet</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
In servlet:
在 servlet 中:
request.getRequestDispatcher("testing.jsp").forward(request, response);
So your url pattern will be /test but the testing.jsp page will be loaded. Hope this helps.
所以你的 url 模式将是 /test 但将加载 testing.jsp 页面。希望这可以帮助。
回答by Alan Hay
You can prevent direct access to jsp files by adding the following to your web.xml, altering the url pattern as required.
您可以通过将以下内容添加到您的 web.xml,并根据需要更改 url 模式来阻止对 jsp 文件的直接访问。
<security-constraint>
<web-resource-collection>
<web-resource-name>JSP Files</web-resource-name>
<description>No direct access to JSP files</description>
<url-pattern>/pages/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>No direct browser access to JSP files</description>
<role-name>NobodyHasThisRole</role-name>
</auth-constraint>
</security-constraint>
