使用filter驗證session用戶和頁面緩存問題處理

WEB的信息安全隱患之一:

未授權用戶通過直接在IE中輸入URL直接登錄系統

解決辦法:

通過配置filter過濾無效用戶的連接請求.

WEB的信息安全隱患之二:

合法用戶"註銷"後,在未關閉瀏覽器的情況下,點擊瀏覽器"後退"按鈕,可從與本地頁面緩存中讀取數據,繞過了服務端filter過濾.

解決辦法:

在必要的頁面(包含敏感信息) 設定頁面緩存限制.

也可以把上面兩步組合在一個,通過同一個filter實現.具體如下:

1.配置filter(web.xml)

......

<filter>
  <filter-name>Authentication</filter-name> <!-- Authentication過濾器別名 -->
  <filter-class>com.mycompany.myweb.management.util.AuthenticationFilter</filter-class> <!-- 過濾器Authentication指向的具體類 -->
  <init-param>
   <param-name>onError</param-name> <!-- 過濾器初始化參數配置 -->
   <param-value>/Logon.do</param-value> <!-- 這裏指定無效用戶跳轉方向 -->
  </init-param>
</filter>
<filter-mapping>
<filter-name>Authentication</filter-name>
<url-pattern>/management/*</url-pattern> <!-- management/*是要過濾的文件的位置,表示過濾management文件夾下的所內容。 -->
</filter-mapping>
<filter-mapping>
<filter-name>Authentication</filter-name>
<url-pattern>/Main.do</url-pattern> <!-- Main.do/*是要過濾的請求,表示過濾此請求指定的頁面的所內容。 -->
</filter-mapping>

......

AuthenticationFilter過濾器實現類:

package com.mycompany.myweb.management.util;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.struts.Globals;
import org.apache.struts.action.*;

public class AuthenticationFilter implements Filter {//一定要使用Filter接口
private FilterConfig filterConfig;

private String onErrorUrl;

public void init(FilterConfig config) throws ServletException {
  filterConfig = config;
  onErrorUrl = filterConfig.getInitParameter("onError");
  if (onErrorUrl == null || "".equals(onErrorUrl)) {
   onErrorUrl = "onError";
  }
}

public void doFilter(ServletRequest request, ServletResponse response,
   FilterChain next) throws IOException, ServletException {
  HttpServletRequest httpRequest = (HttpServletRequest) request;
  HttpServletResponse httpResponse = (HttpServletResponse) response;
  HttpSession httpSession = httpRequest.getSession();
/**
  * @author justin ray
  * @see 頁面緩存設定
  * <br>確保瀏覽器不緩存頁面數據
  */

httpResponse.setHeader("Cache-Control","no-cache");
  httpResponse.setHeader("Cache-Control","no-store");
  httpResponse.setDateHeader("Expires", 0);
  httpResponse.setHeader("Pragma","no-cache");

  /**
  * @author justin ray
  * @see 過濾未登錄用戶無效請求
  * <br>未登錄用戶請求跳轉到/Logon.do
  */
  if (httpSession.getAttribute("ePAccountInfo") == null) {
   ActionErrors errors = new ActionErrors();
   errors.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("沒有登錄"));
   httpRequest.setAttribute(Globals.ERROR_KEY, errors);
   httpRequest.getRequestDispatcher(onErrorUrl).forward(httpRequest,
     httpResponse);
  } else
   next.doFilter(request, response);
}

public void destroy() {
}

}



其他方式,如:在一個JSP裏實現用戶登錄驗證,其他JSP頁面通過include引入驗證