[英]adding security in Struts 2 spring application
I am developing an application with spring 3 struts 2 and hibernate. 我正在使用Spring 3 Struts 2和Hibernate开发一个应用程序。 After login only i have to display the pages
仅登录后,我必须显示页面
It is working fine. 一切正常。 when i testing i found the big mistake
当我测试时,我发现了一个大错误
that is i copy the url of the page which needs to display only to logged-in user and paste it in other browser means it is displaying the page without login. 那就是我将仅显示给登录用户的页面的URL复制并粘贴到其他浏览器中,这意味着它正在显示该页面而无需登录。
<%
String userId= (String)session.getAttribute("userId");
System.out.println(userId);
if(userId == null || userId.equals("") ){
response.sendRedirect("login.jsp");
}
%>
I have included this for all jsp. 我已经为所有jsp包括了此功能。 I know this is not a best practice.
我知道这不是最佳做法。 Is any better option available?
有更好的选择吗?
How would i overcome this error? 我将如何克服这个错误?
if(userId == null || userId.equals("") ){
response.sendRedirect("login.jsp");
}
should probably have a return in there to prevent rendering the page content: 应该在那里有一个返回值以防止呈现页面内容:
if(userId == null || userId.equals("") ){
response.sendRedirect("login.jsp");
return;
}
Nothing in the javadoc suggests that sendRedirect
causes abrupt exit or causes the response body to not be shipped to the client. javadoc中没有任何内容表明
sendRedirect
会导致突然退出或导致响应主体无法交付给客户端。
What is probably happening is that your response contains a redirect header, but also contains the page content which you might not have meant to send. 可能发生的情况是您的响应包含重定向标头,但也包含您可能不打算发送的页面内容。
I am still at education so do know how good is my solution , but i did not crash so hope it is correct 我仍在接受教育,所以知道我的解决方案有多好,但是我没有崩溃,所以希望它是正确的
and it is quite similar to @muthu 's code 它与@muthu的代码非常相似
I had used JPA-eclipselink and Struts2 我曾经用过JPA-eclipselink和Struts2
Action Class 动作班
String checkLogin = "SELECT user FROM UserEntity user WHERE user.username = :username AND user.password = :password";
Query checkLoginQuery = em.createQuery(checkLogin);
checkLoginQuery.setParameter("username", loginUsername);
checkLoginQuery.setParameter("password", loginPassword);
userEntity = (UserEntity) checkLoginQuery.getSingleResult();
Map sessionMap = ActionContext.getContext().getSession();
sessionMap.put("userEntity", userEntity);
JSP -> all jsp pages have this(bug:affected if session is not killed when browser is not closed ) JSP->所有jsp页面都具有此(bug:在未关闭浏览器时未终止会话的情况下受影响)
<%@ taglib prefix="s" uri="/struts-tags" %>
<s:if test="%{#session.userEntity == null}">
<jsp:forward page="login.jsp"/>
</s:if>
Correct me if I am wrong 如果我错了请纠正我
Both and RequestDispatcher.forward() are what I refer to as "server-side" redirects
和RequestDispatcher.forward()都是我所说的“服务器端”重定向
The response.sendRedirect() is what I call a "client-side" redirect.
response.sendRedirect()是我所谓的“客户端”重定向。
so a server side forward looks more safe to me , maybe I am wrong (I am sorry if I am miss interpreting it ,not worked in real life projects yet) 所以服务器端向前对我来说看起来更安全,也许我错了(对不起,如果我错过解释它,还不能在现实生活中的项目中工作)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.