如何防止客户端访问JSP页面
•浏览 1
How to prevent client from accessing JSP page
在我的 Web 应用程序中,我使用 JQuery 中的 .load() 函数,在 DIV.
中加载一些 JSP 页面
$("#myDiv").load("chat.jsp");
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat","chat","chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId ="";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId +" and room_id=" + roomId +" order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<%=rset.getString(3) +"" + rset.getString(4)%>
<%=rset.getString(1)%>
<% }
%>
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%>
<% if (fi == 1) {%>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
.load("chat.jsp", { jquery :"yes" });
String yesOrNo = request.getParameter("jquery");
/chat.jsp?jquery=yes
if (Request.Headers["X-Requested-With"] !="XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority","AJAXREQUEST");
},
...........在 chat.jsp 中,除非此客户端已登录,否则不会执行任何 Java 代码,这意味着,我检查了会话。
$("#myDiv").load("chat.jsp");
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat","chat","chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId ="";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId +" and room_id=" + roomId +" order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<%=rset.getString(3) +"" + rset.getString(4)%>
<%=rset.getString(1)%>
<% }
%>
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%>
<% if (fi == 1) {%>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
.load("chat.jsp", { jquery :"yes" });
String yesOrNo = request.getParameter("jquery");
/chat.jsp?jquery=yes
if (Request.Headers["X-Requested-With"] !="XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority","AJAXREQUEST");
},
...........那些将被执行的java代码,它们会out.println();一些HTML元素。
我不希望客户端在浏览器中写入 /chat.jsp 来访问此页面,因为它看起来很糟糕,而且主页中的其他内容也不存在,这可能会损害Web 应用程序安全性。
我怎样才能限制某人直接访问 chat.jsp,但又可以通过 .load() 访问它?
更新:
JavaDB 是我创建的一个类,它将我连接到数据库。
这是 chat.jsp
$("#myDiv").load("chat.jsp");
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat","chat","chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId ="";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId +" and room_id=" + roomId +" order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<%=rset.getString(3) +"" + rset.getString(4)%>
<%=rset.getString(1)%>
<% }
%>
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%>
<% if (fi == 1) {%>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
.load("chat.jsp", { jquery :"yes" });
String yesOrNo = request.getParameter("jquery");
/chat.jsp?jquery=yes
if (Request.Headers["X-Requested-With"] !="XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority","AJAXREQUEST");
},
...........伙计们,我不知道过滤器是什么意思。
更新
如果我决定发送一个参数告诉我此请求来自 Jquery。
$("#myDiv").load("chat.jsp");
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat","chat","chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId ="";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId +" and room_id=" + roomId +" order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<%=rset.getString(3) +"" + rset.getString(4)%>
<%=rset.getString(1)%>
<% }
%>
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%>
<% if (fi == 1) {%>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
.load("chat.jsp", { jquery :"yes" });
String yesOrNo = request.getParameter("jquery");
/chat.jsp?jquery=yes
if (Request.Headers["X-Requested-With"] !="XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority","AJAXREQUEST");
},
...........然后在chat.jsp中查看
$("#myDiv").load("chat.jsp");
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat","chat","chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId ="";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId +" and room_id=" + roomId +" order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<%=rset.getString(3) +"" + rset.getString(4)%>
<%=rset.getString(1)%>
<% }
%>
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%>
<% if (fi == 1) {%>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
.load("chat.jsp", { jquery :"yes" });
String yesOrNo = request.getParameter("jquery");
/chat.jsp?jquery=yes
if (Request.Headers["X-Requested-With"] !="XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority","AJAXREQUEST");
},
...........然后他们可以使用这个 URL 简单地破解它。
$("#myDiv").load("chat.jsp");
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat","chat","chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId ="";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId +" and room_id=" + roomId +" order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<%=rset.getString(3) +"" + rset.getString(4)%>
<%=rset.getString(1)%>
<% }
%>
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%>
<% if (fi == 1) {%>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
.load("chat.jsp", { jquery :"yes" });
String yesOrNo = request.getParameter("jquery");
/chat.jsp?jquery=yes
if (Request.Headers["X-Requested-With"] !="XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority","AJAXREQUEST");
},
...........或类似的东西..
更新
我尝试了 Maksim 的建议,当我尝试访问 chat.jsp 时得到了这个。
这是想要的效果吗?
为了在我的应用程序中实现这一点,我检查客户端在其请求中发送到我的页面的 http 标头中的 X-Requested-With 字段。如果它的值为 XMLHttpRequest,那么它很可能来自一个 ajax 请求(jQuery 将此标头附加到它的请求中),否则我不提供该页面。常规(直接)浏览器请求会将此标头字段留空。
在 ASP.Net 中看起来像这样,您必须为 JSP 稍微更改代码:
$("#myDiv").load("chat.jsp");
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat","chat","chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId ="";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId +" and room_id=" + roomId +" order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<%=rset.getString(3) +"" + rset.getString(4)%>
<%=rset.getString(1)%>
<% }
%>
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%>
<% if (fi == 1) {%>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
.load("chat.jsp", { jquery :"yes" });
String yesOrNo = request.getParameter("jquery");
/chat.jsp?jquery=yes
if (Request.Headers["X-Requested-With"] !="XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority","AJAXREQUEST");
},
...........UPD:快速谷歌搜索后,您的代码可能会是这样的
$("#myDiv").load("chat.jsp");
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat","chat","chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId ="";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId +" and room_id=" + roomId +" order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<%=rset.getString(3) +"" + rset.getString(4)%>
<%=rset.getString(1)%>
<% }
%>
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%>
<% if (fi == 1) {%>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
.load("chat.jsp", { jquery :"yes" });
String yesOrNo = request.getParameter("jquery");
/chat.jsp?jquery=yes
if (Request.Headers["X-Requested-With"] !="XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority","AJAXREQUEST");
},
...........UPD2:看起来 request.getHeader("X-Requested-With") 在您的情况下返回 null 将条件更改为如下所示:
$("#myDiv").load("chat.jsp");
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat","chat","chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId ="";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId +" and room_id=" + roomId +" order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<%=rset.getString(3) +"" + rset.getString(4)%>
<%=rset.getString(1)%>
<% }
%>
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%>
<% if (fi == 1) {%>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
.load("chat.jsp", { jquery :"yes" });
String yesOrNo = request.getParameter("jquery");
/chat.jsp?jquery=yes
if (Request.Headers["X-Requested-With"] !="XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority","AJAXREQUEST");
},
...........根据 http://www.c-sharpcorner.com/blogs/2918/how-to-set-a-request-header-in-a-jquery-ajax-call.aspx
JQuery gives you the tools you need to create a request and retrieve a response through it's ajax library. The raw $.ajax call gives you all kinds of callbacks to manipulate http messages.
因此,您可以像这样在 Ajaxa 调用中添加自定义请求标头
$("#myDiv").load("chat.jsp");
String sessionId = session.getAttribute("SessionId");
if(sessionId.equals("100")){
//execute codes
}else{
//redirect to log in page
}
<body>
<%
String userId = session.getAttribute("SessionId").toString();
if (userId != null) {
String roomId = request.getParameter("roomId");
String lastMessageId = request.getParameter("lastMessageId");
JavaDB myJavaDB = new JavaDB();
myJavaDB.Connect("Chat","chat","chat");
Connection conn = myJavaDB.getMyConnection();
Statement stmt = conn.createStatement();
String lastId ="";
int fi = 0;
ResultSet rset = stmt.executeQuery("select message,message_id,first_name,last_name from users u,messages m where u.user_id=m.user_id and m.message_id>" + lastMessageId +" and room_id=" + roomId +" order by m.message_id asc");
while (rset.next()) {
fi = 1;
lastId = rset.getString(2);
%>
<%=rset.getString(3) +"" + rset.getString(4)%>
<%=rset.getString(1)%>
<% }
%>
<% if (fi == 1) {%>
<%=lastId%>
<% } else {%>
<%=lastMessageId%>
<% }%>
<% if (fi == 1) {%>
<% }
} else {
response.sendRedirect("index.jsp");
}%>
</body>
.load("chat.jsp", { jquery :"yes" });
String yesOrNo = request.getParameter("jquery");
/chat.jsp?jquery=yes
if (Request.Headers["X-Requested-With"] !="XMLHttpRequest")
{
Response.Write("AJAX Request only.");
Response.End();
return;
}
if(!request.getHeader("X-Requested-With").equals("XMLHttpRequest")){
out.println("AJAX Request only.");
out.flush();
out.close();
return;
}
String ajaxRequest = request.getHeader("X-Requested-With");
if(ajaxRequest == null || !ajaxRequest.equals("XMLHttpRequest")){
...
}
$.ajax({
type:"POST",
beforeSend: function (request)
{
request.setRequestHeader("Authority","AJAXREQUEST");
},
...........然后在您的 servlet 中检查请求是否具有标头授权等于 AJAXREQUEST。这就是您阅读请求标头的方式 http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/Servlet-Tutorial-Request-Headers.html
你应该使用过滤器。检查过滤器代码中的会话并重定向到登录。
您的代码片段是 servlet 吗?如果是这样,请使用安全框架(例如 Spring Security)或 javax.servlet.Filter 来应用安全性,那么您也可以将安全性应用到 JSP。