java相关安全漏洞及整改建议
2018-05-28 本文已影响0人
叨唧唧的
- 防止用户直接访问url的权限控制
通过判断父类URL是否存在,判断是通过系统跳转的链接还是通过浏览器直接输入的跳转链接 参考如下
UsersFilter
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
// 获取Session
HttpSession session = req.getSession();
if (session != null) {
Map user = (Map) session.getAttribute("user");
if (user != null) {
//new 只允许通过应用访问,不允许用户修改URL访问
HttpServletResponse resp = (HttpServletResponse) response;
String conString = req.getHeader("REFERER");//获取父url
if("".equals(conString) || null==conString){ //判断如果上一个(父)url为空的话,说明是用户直接输入url访问的
resp.sendRedirect(req.getContextPath() + "/index.jsp");//跳回首页
return;
}else{
//应用正常跳转URL
}
} else {
String url = req.getRequestURI();
boolean match = false;
for (String key : resources)
{
if (url.indexOf(key) >= 0)
{
match = true;
break;
}
}
if (!match)
{
HttpServletResponse res = (HttpServletResponse) response;
res.sendRedirect(req.getContextPath() + "/index.jsp");
return;
}
}
}
chain.doFilter(request, response);
}
