在Struts 2 Spring应用程序中增加安全性
[英]adding security in Struts 2 spring application
问题描述
I am developing an application with spring 3 struts 2 and hibernate. 
我正在使用Spring 3 Struts 2和Hibernate开发一个应用程序。 After login only i have to display the pages 仅登录后,我必须显示页面
It is working fine. 一切正常。 when i testing i found the big mistake 当我测试时,我发现了一个大错误
that is i copy the url of the page which needs to display only to logged-in user and paste it in other browser means it is displaying the page without login. 那就是我将仅显示给登录用户的页面的URL复制并粘贴到其他浏览器中,这意味着它正在显示该页面而无需登录。
<%
String userId= (String)session.getAttribute("userId");
System.out.println(userId);
if(userId == null || userId.equals("") ){
response.sendRedirect("login.jsp");
}
%>
I have included this for all jsp. 我已经为所有jsp包括了此功能。 I know this is not a best practice. 我知道这不是最佳做法。 Is any better option available? 有更好的选择吗?
How would i overcome this error? 我将如何克服这个错误?
2 个解决方案
解决方案1
0 2013-09-18 15:23:52
if(userId == null || userId.equals("") ){
response.sendRedirect("login.jsp");
}
should probably have a return in there to prevent rendering the page content: 应该在那里有一个返回值以防止呈现页面内容:
if(userId == null || userId.equals("") ){
response.sendRedirect("login.jsp");
return;
}
Nothing in the javadoc suggests that sendRedirect causes abrupt exit or causes the response body to not be shipped to the client. javadoc中没有任何内容表明sendRedirect会导致突然退出或导致响应主体无法交付给客户端。
What is probably happening is that your response contains a redirect header, but also contains the page content which you might not have meant to send. 可能发生的情况是您的响应包含重定向标头,但也包含您可能不打算发送的页面内容。
解决方案2
0 2013-09-18 15:37:48
I am still at education so do know how good is my solution , but i did not crash so hope it is correct 我仍在接受教育,所以知道我的解决方案有多好,但是我没有崩溃,所以希望它是正确的
and it is quite similar to @muthu 's code 它与@muthu的代码非常相似
I had used JPA-eclipselink and Struts2 我曾经用过JPA-eclipselink和Struts2
Action Class 动作班
String checkLogin = "SELECT user FROM UserEntity user WHERE user.username = :username AND user.password = :password";
Query checkLoginQuery = em.createQuery(checkLogin);
checkLoginQuery.setParameter("username", loginUsername);
checkLoginQuery.setParameter("password", loginPassword);
userEntity = (UserEntity) checkLoginQuery.getSingleResult();
Map sessionMap = ActionContext.getContext().getSession();
sessionMap.put("userEntity", userEntity);
JSP -> all jsp pages have this(bug:affected if session is not killed when browser is not closed ) JSP->所有jsp页面都具有此(bug:在未关闭浏览器时未终止会话的情况下受影响)
<%@ taglib prefix="s" uri="/struts-tags" %>
<s:if test="%{#session.userEntity == null}">
<jsp:forward page="login.jsp"/>
</s:if>
Correct me if I am wrong 如果我错了请纠正我
Both and RequestDispatcher.forward() are what I refer to as "server-side" redirects
The response.sendRedirect() is what I call a "client-side" redirect.
so a server side forward looks more safe to me , maybe I am wrong (I am sorry if I am miss interpreting it ,not worked in real life projects yet) 所以服务器端向前对我来说看起来更安全,也许我错了(对不起,如果我错过解释它,还不能在现实生活中的项目中工作)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.