urlrewrite-------解决大型WEB系统URL暴露安全问题

未经过改写的WEB系统的URL可以泄漏工程文件的目录,为了保证WEB系统的安全,免遭黑客的攻击,我们通常要对URL进行重写,目的就是使访问者看不到真实的路径,从而可以减少黑客攻击的可能性,下面给出一个简单的登陆例子,将http://localhost:8080/urlrewrite/login.do改写为http://localhost:8080/urlrewrite/mylogin/

1.首先去CSDN下载频道搜索urlrewrite-2.6.0.jar这个文件,然后将其放在工程目录的WEB-INFO/LIB下。

2.配置web.xml



[java] view plaincopyprint?



action
org.apache.struts.action.ActionServlet

config
/WEB-INF/struts-config.xml


debug
3


detail
3

0


action
*.do


UrlRewriteFilter

org.tuckey.web.filters.urlrewrite.UrlRewriteFilter


logLevel
WARN



UrlRewriteFilter
/*
REQUEST
FORWARD


login.jsp





action
org.apache.struts.action.ActionServlet

config
/WEB-INF/struts-config.xml


debug
3


detail
3

0


action
*.do


UrlRewriteFilter

org.tuckey.web.filters.urlrewrite.UrlRewriteFilter


logLevel
WARN



UrlRewriteFilter
/*
REQUEST
FORWARD


login.jsp




3.编写页面login.jsp.success.jsp以及failure.jsp

[c-sharp] view plaincopyprint?
login.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"prefix="c"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>




用户名:
密 码:





success.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>


success!


failure.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>


failure!


login.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"prefix="c"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>




用户名:
密 码:





success.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>


success!


failure.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>


failure!



4.编写action处理类及其配置struts-config.properties

[c-sharp] view plaincopyprint?
LoginAction.java
package com.zxc.struts.action;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
public class LoginAction extends Action {
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) {
// TODO Auto-generated method stub
String username=request.getParameter("username")==null?"":request.getParameter("username");
String password=request.getParameter("password")==null?"":request.getParameter("password");
if(username.equals("java")&&password.equals("java"))
return mapping.findForward("success");
else
return mapping.findForward("failure");
}
}
struts-config.properties







path="/login"
type="com.zxc.struts.action.LoginAction"
cancellable="true" >






LoginAction.java
package com.zxc.struts.action;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
public class LoginAction extends Action {
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response) {
// TODO Auto-generated method stub
String username=request.getParameter("username")==null?"":request.getParameter("username");
String password=request.getParameter("password")==null?"":request.getParameter("password");
if(username.equals("java")&&password.equals("java"))
return mapping.findForward("success");
else
return mapping.findForward("failure");
}
}
struts-config.properties







path="/login"
type="com.zxc.struts.action.LoginAction"
cancellable="true" >








5.配置urlrewrite.xml文件,注意将其放到与web.xml同级目录中,并且配置的时候正向和逆向都得配置

[c-sharp] view plaincopyprint?

"http://tuckey.org/res/dtds/urlrewrite2.6.dtd">





Login

^/mylogin[/]?$
/login.do




Login
/login.do
/mylogin/



"http://tuckey.org/res/dtds/urlrewrite2.6.dtd">





Login

^/mylogin[/]?$
/login.do




Login
/login.do
/mylogin/



6.运行结果

输入用户名和密码之后,你会发现浏览器的地址变成了http://localhost:8080/urlrewrite/mylogin/

你可能感兴趣的:(urlrewrite-------解决大型WEB系统URL暴露安全问题)