java相关安全漏洞及整改建议

1. 防止用户直接访问url的权限控制

   通过判断父类URL是否存在，判断是通过系统跳转的链接还是通过浏览器直接输入的跳转链接 参考如下

UsersFilter

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

HttpServletRequest req = (HttpServletRequest) request;   

// 获取Session     

HttpSession session = req.getSession();

if (session != null) {

Map user = (Map) session.getAttribute("user");

if (user != null) {

//new 只允许通过应用访问，不允许用户修改URL访问

HttpServletResponse resp = (HttpServletResponse) response; 

String conString = req.getHeader("REFERER");//获取父url

if("".equals(conString) || null==conString){ //判断如果上一个(父)url为空的话，说明是用户直接输入url访问的  

resp.sendRedirect(req.getContextPath() + "/index.jsp");//跳回首页 

return;

}else{

//应用正常跳转URL

} 

} else {

       

String url = req.getRequestURI();

boolean match = false;

for (String key : resources)

{

if (url.indexOf(key) >= 0)

{

match = true;

break;

}

}

if (!match)

{

HttpServletResponse res = (HttpServletResponse) response;  

res.sendRedirect(req.getContextPath() + "/index.jsp");

return;

}

}

}

chain.doFilter(request, response);

}