利用session驗證用戶是否正常登錄

原文地址：http://ejb-wawa.iteye.com/blog/395873

WEB的信息安全隱患之一: 

未授權用戶通過直接在IE中輸入URL直接登錄系統 

解決辦法: 

通過配置filter過濾無效用戶的連接請求. 

WEB的信息安全隱患之二: 

合法用戶"注銷"后,在未關閉瀏覽器的情況下,點擊瀏覽器"后退"按鈕,可從與本地頁面緩存中讀取數據,繞過了服務端filter過濾. 

解決辦法: 

在必要的頁面(包含敏感信息) 設定頁面緩存限制. 

也可以把上面兩步組合在一個,通過同一個filter實現.具體如下: 

1.配置filter(web.xml) 

...... 

<filter> 
   <filter-name>Authentication</filter-name> <!-- Authentication過濾器別名 --> 
   <filter-class>com.mycompany.myweb.management.util.AuthenticationFilter</filter-class> <!-- 過濾器Authentication指向的具體類 --> 
   <init-param> 
    <param-name>onError</param-name> <!-- 過濾器初始化參數配置 --> 
    <param-value>/Logon.do</param-value> <!-- 這里指定無效用戶跳轉方向 --> 
   </init-param> 
</filter> 
<filter-mapping> 
<filter-name>Authentication</filter-name> 
<url-pattern>/management/*</url-pattern> <!-- management/*是要過濾的文件的位置,表示過濾management文件夾下的所內容。 --> 
</filter-mapping> 
<filter-mapping> 
<filter-name>Authentication</filter-name> 
<url-pattern>/Main.do</url-pattern> <!-- Main.do/*是要過濾的請求,表示過濾此請求指定的頁面的所內容。 --> 
</filter-mapping> 

...... 

AuthenticationFilter過濾器實現類: 

package com.mycompany.myweb.management.util; 

import java.io.IOException; 
import javax.servlet.ServletException; 
import javax.servlet.http.*; 
import javax.servlet.Filter; 
import javax.servlet.FilterChain; 
import javax.servlet.FilterConfig; 
import javax.servlet.ServletRequest; 
import javax.servlet.ServletResponse; 
import org.apache.struts.Globals; 
import org.apache.struts.action.*; 

public class AuthenticationFilter implements Filter {//一定要使用Filter接口 
private FilterConfig filterConfig; 

private String onErrorUrl; 

public void init(FilterConfig config) throws ServletException { 
filterConfig = config; 
nErrorUrl = filterConfig.getInitParameter("onError"); 
if (onErrorUrl == null || "".equals(onErrorUrl)) { 
   nErrorUrl = "onError"; 
} 
} 

public void doFilter(ServletRequest request, ServletResponse response, 
   FilterChain next) throws IOException, ServletException { 
HttpServletRequest httpRequest = (HttpServletRequest) request; 
HttpServletResponse httpResponse = (HttpServletResponse) response; 
HttpSession httpSession = httpRequest.getSession(); 
/** 
* @author justin ray 
* @see 頁面緩存設定 
* <br>確保瀏覽器不緩存頁面數據 
*/ 

httpResponse.setHeader("Cache-Control","no-cache"); 
httpResponse.setHeader("Cache-Control","no-store"); 
httpResponse.setDateHeader("Expires", 0); 
httpResponse.setHeader("Pragma","no-cache"); 

/** 
* @author justin ray 
* @see 過濾未登錄用戶無效請求 
* <br>未登錄用戶請求跳轉到/Logon.do 
*/ 
if (httpSession.getAttribute("ePAccountInfo") == null) { 
   ActionErrors errors = new ActionErrors(); 
   errors.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("沒有登錄")); 
   httpRequest.setAttribute(Globals.ERROR_KEY, errors); 
   httpRequest.getRequestDispatcher(onErrorUrl).forward(httpRequest, 
     httpResponse); 
} else 
   next.doFilter(request, response); 
} 

public void destroy() { 
} 

}