urlrewrite-------解决大型WEB系统URL暴露安全问题
未经过改写的WEB系统的URL可以泄漏工程文件的目录,为了保证WEB系统的安全,免遭黑客的攻击,我们通常要对URL进行重写,目的就是使访问者看不到真实的路径,从而可以减少黑客攻击的可能性,下面给出一个简单的登陆例子,将http://localhost:8080/urlrewrite/login.do改写为http://localhost:8080/urlrewrite/mylogin/
1.首先去CSDN下载频道搜索urlrewrite-2.6.0.jar这个文件,然后将其放在工程目录的WEB-INFO/LIB下。
2.配置web.xml
[java] view plaincopyprint?
action
org.apache.struts.action.ActionServlet
config
/WEB-INF/struts-config.xml
debug
3
detail
3
0
action
*.do
UrlRewriteFilter
org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
logLevel
WARN
UrlRewriteFilter
/*
REQUEST
FORWARD
login.jsp
action
org.apache.struts.action.ActionServlet
config
/WEB-INF/struts-config.xml
debug
3
detail
3
0
action
*.do
UrlRewriteFilter
org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
logLevel
WARN
UrlRewriteFilter
/*
REQUEST
FORWARD
login.jsp
3.编写页面login.jsp.success.jsp以及failure.jsp
[c-sharp] view plaincopyprint?
login.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"prefix="c"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
success.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
success!
failure.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
failure!
login.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"prefix="c"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
success.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
success!
failure.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
failure!
4.编写action处理类及其配置struts-config.properties
[c-sharp] view plaincopyprint?
LoginAction.java
package com.zxc.struts.action;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
public class LoginAction extends Action {
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) {
// TODO Auto-generated method stub
String username=request.getParameter("username")==null?"":request.getParameter("username");
String password=request.getParameter("password")==null?"":request.getParameter("password");
if(username.equals("java")&&password.equals("java"))
return mapping.findForward("success");
else
return mapping.findForward("failure");
}
}
struts-config.properties
path="/login"
type="com.zxc.struts.action.LoginAction"
cancellable="true" >
LoginAction.java
package com.zxc.struts.action;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
public class LoginAction extends Action {
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) {
// TODO Auto-generated method stub
String username=request.getParameter("username")==null?"":request.getParameter("username");
String password=request.getParameter("password")==null?"":request.getParameter("password");
if(username.equals("java")&&password.equals("java"))
return mapping.findForward("success");
else
return mapping.findForward("failure");
}
}
struts-config.properties
path="/login"
type="com.zxc.struts.action.LoginAction"
cancellable="true" >
5.配置urlrewrite.xml文件,注意将其放到与web.xml同级目录中,并且配置的时候正向和逆向都得配置
[c-sharp] view plaincopyprint?
"http://tuckey.org/res/dtds/urlrewrite2.6.dtd">
Login
^/mylogin[/]?$
/login.do
Login
/login.do
/mylogin/
"http://tuckey.org/res/dtds/urlrewrite2.6.dtd">
Login
^/mylogin[/]?$
/login.do
Login
/login.do
/mylogin/
6.运行结果
输入用户名和密码之后,你会发现浏览器的地址变成了http://localhost:8080/urlrewrite/mylogin/
1.首先去CSDN下载频道搜索urlrewrite-2.6.0.jar这个文件,然后将其放在工程目录的WEB-INFO/LIB下。
2.配置web.xml
[java] view plaincopyprint?
org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
3.编写页面login.jsp.success.jsp以及failure.jsp
[c-sharp] view plaincopyprint?
login.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"prefix="c"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
success.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
success!
failure.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
failure!
login.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"prefix="c"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
success.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
success!
failure.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
failure!
4.编写action处理类及其配置struts-config.properties
[c-sharp] view plaincopyprint?
LoginAction.java
package com.zxc.struts.action;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
public class LoginAction extends Action {
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) {
// TODO Auto-generated method stub
String username=request.getParameter("username")==null?"":request.getParameter("username");
String password=request.getParameter("password")==null?"":request.getParameter("password");
if(username.equals("java")&&password.equals("java"))
return mapping.findForward("success");
else
return mapping.findForward("failure");
}
}
struts-config.properties
type="com.zxc.struts.action.LoginAction"
cancellable="true" >
LoginAction.java
package com.zxc.struts.action;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
public class LoginAction extends Action {
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) {
// TODO Auto-generated method stub
String username=request.getParameter("username")==null?"":request.getParameter("username");
String password=request.getParameter("password")==null?"":request.getParameter("password");
if(username.equals("java")&&password.equals("java"))
return mapping.findForward("success");
else
return mapping.findForward("failure");
}
}
struts-config.properties
type="com.zxc.struts.action.LoginAction"
cancellable="true" >
5.配置urlrewrite.xml文件,注意将其放到与web.xml同级目录中,并且配置的时候正向和逆向都得配置
[c-sharp] view plaincopyprint?
"http://tuckey.org/res/dtds/urlrewrite2.6.dtd">
Login
"http://tuckey.org/res/dtds/urlrewrite2.6.dtd">
Login
6.运行结果
输入用户名和密码之后,你会发现浏览器的地址变成了http://localhost:8080/urlrewrite/mylogin/