web 安全性问题

于 2013-12-24 13:29:30 发布
阅读量178 收藏
点赞数
分类专栏: java 文章标签: java web.xml
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/u013245082/article/details/84514739
版权
添加过滤器,将没有用都的请求方法过滤掉,如DELETE 


import java.io.IOException;
import java.util.Arrays;
import java.util.List;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class RequestFilter implements Filter {

	public void init(FilterConfig config) throws ServletException {

	}

	public void destroy() {

	}

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		HttpServletRequest req = (HttpServletRequest) request;
		HttpServletResponse res = (HttpServletResponse) response;
		String method = req.getMethod();
		List<String> methodList = Arrays.asList("DELETE", "HEAD", "PUT",
				"OPTIONS","TRACE");
		if (methodList.contains(method)) {
			res.setStatus(403);
			return;
		}
		chain.doFilter(request, response);
	}
}


也可以在web.xml中设置 


<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	id="WebApp_ID" version="2.5">


	<security-constraint>
		<web-resource-collection>
			<url-pattern>/*</url-pattern>
			<http-method>PUT</http-method>
			<http-method>DELETE</http-method>
			<http-method>HEAD</http-method>
			<http-method>OPTIONS</http-method>
			<http-method>TRACE</http-method>
		</web-resource-collection>
		<auth-constraint>
		</auth-constraint>
	</security-constraint>
	<login-config>
		<auth-method>BASIC</auth-method>
	</login-config>

</web-app>



这种方式,用内嵌的jetty启动会报错,但tomcat没问题。。。未解决。。。暂时使用filter


Cookie中设置httpOnly标识
web.xml 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	id="WebApp_ID" version="2.5">


	<session-config>
		<cookie-config>
			<http-only>true</http-only>
		</cookie-config>
	</session-config>

</web-app>

也可以在 代码中设置 
cookie.setHttpOnly(true);
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值