如何防止客户端访问JSP页面
[英]How to prevent client from accessing JSP page
问题描述
In my web application, I use the .load() function in JQuery, to load some JSP pages inside a DIV . 
在我的Web应用程序中,我使用JQuery中的.load()函数在DIV加载一些JSP页面。
$("#myDiv").load("chat.jsp");
In chat.jsp , no Java codes is executed unless this client has Logged in, means, I check the session. 在chat.jsp ,除非该客户端已登录,否则不会执行任何Java代码,这意味着我检查了会话。
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
Those java codes that will be executed, they will out.println(); 这些将要执行的Java代码,它们将out.println(); some HTML elements. 一些HTML元素。
I don't want the client to write /chat.jsp in the browser to access this page, as it will look bad, and the other stuff in the main page won't be there, and this could do a harm to the web app security. 我不希望客户端在浏览器中编写/chat.jsp来访问此页面,因为它看起来很糟糕,并且主页中的其他内容也不会出现,这可能会对网络造成危害应用安全性。
How can I restrict someone from accessing chat.jsp directly, but yet keep it accessible via .load() ? 如何限制某人直接访问chat.jsp ,但仍可通过.load()对其进行访问?
UPDATE: 更新:
JavaDB is a class that I made, it connects me to the Database. JavaDB是我制作的一个类,它将我连接到数据库。
This is chat.jsp 这是chat.jsp
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat", "chat", "chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId = "";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId + " and room_id=" + roomId + " order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<div class="message">
<div class="messageSender">
<%=rset.getString(3) + " " + rset.getString(4)%>
</div>
<div class="messageContents">
<%=rset.getString(1)%>
</div>
</div>
<% }
%>
<div class="lastId">
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%></div>
<% if (fi == 1) {%>
<div class="messages">
</div>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
Guys I don't know what Filter means. 伙计们,我不知道过滤器的含义。
UPDATE 更新
If I decided to send a parameter that tells me that this request came from Jquery. 如果我决定发送一个参数告诉我该请求来自Jquery。
.load("chat.jsp", { jquery : "yes" });
And then check it in chat.jsp 然后在chat.jsp中检查它
String yesOrNo = request.getParameter("jquery");
Then they can simply hack this by using this URL. 然后,他们可以使用此URL来简单地破解它。
/chat.jsp?jquery=yes
or something like that.. 或类似的东西..
UPDATE 更新
I tried Maksim's advice, I got this when I tried to access chat.jsp. 我尝试了Maksim的建议,当我尝试访问chat.jsp时得到了这个建议。
Is this the desired effect? 这是理想的效果吗?
4 个解决方案
解决方案1
2 已采纳 2012-09-02 09:07:18
In order to achieve this in my application I check for X-Requested-With field in http header the client sends to my page in its request. 为了在我的应用程序中实现此目的,我检查了客户端在其请求中发送到我的页面的http标头中的X-Requested-With字段。 If its value is XMLHttpRequest , then it's very likely that it came from an ajax request (jQuery appends this header to its requests), otherwise I don't serve the page. 如果其值为XMLHttpRequest ,则很有可能它来自ajax请求(jQuery将此标头附加到其请求中),否则我不会为该页面提供服务。 Regular (direct) browser requests will leave this header field blank. 常规(直接)浏览器请求会将此标头字段留为空白。
In ASP.Net it looks like this, you will have to change your code slightly for JSP: 在ASP.Net中,它看起来像这样,您必须为JSP稍微更改代码:
if (Request.Headers["X-Requested-With"] != "XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
UPD : After quick googling your code will probably be something like this UPD :快速搜索之后,您的代码可能会是这样的
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
UPD2 : Looks like request.getHeader("X-Requested-With") returns null in your case change the condition to something like this: UPD2 :在您的情况下, request.getHeader("X-Requested-With")返回null,将条件更改为如下所示:
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
解决方案2
1 2012-09-02 08:58:10
Is your code snippet a servlet? 您的代码段是servlet吗? If that's so, use a security framework (such as Spring Security) or a javax.servlet.Filter for applying security, then you can apply security to JSPs too. 如果是这样,请使用安全框架(例如Spring Security)或javax.servlet.Filter来应用安全性,然后您也可以将安全性应用于JSP。
解决方案3
1 2012-09-02 09:09:01
you should use Filter. 您应该使用过滤器。 Check session in filter code and redirect to login. 在过滤器代码中检查会话并重定向到登录。
解决方案4
1 2012-09-02 09:17:13
according to http://www.c-sharpcorner.com/blogs/2918/how-to-set-a-request-header-in-a-jquery-ajax-call.aspx 根据http://www.c-sharpcorner.com/blogs/2918/how-to-set-a-request-header-in-a-jquery-ajax-call.aspx
JQuery gives you the tools you need to create a request and retrieve a response through it's ajax library.
So you can add a custom request header in your Ajaxa call like this 因此,您可以像这样在Ajaxa调用中添加自定义请求标头
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority", "AJAXREQUEST");
},
...........
And then in your servlet check to see if the request has the header Authority equals to AJAXREQUEST. 然后在您的servlet中检查请求是否具有标头Authority等于AJAXREQUEST。 This is how you read request headers http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/Servlet-Tutorial-Request-Headers.html 这是您阅读请求标头的方式http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/Servlet-Tutorial-Request-Headers.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.