碼上快樂

相關內容    簡體    繁體

一個過濾器不僅解決了會話標識未更新同時還順帶解決了已解密的登錄請求

本文轉載自   查看原文   2016-08-31 16:43   2330    安全漏洞

廢話不多說直接上代碼,少點套路,多點真誠。

過濾器代碼如下:

package com.filter;
import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * 
 * 會話標識未更新 
 * */
public class NewSessionFilter extends HttpServlet implements Filter {
    /**
     * 
     */
    private static final long serialVersionUID = 831349987977760012L;
    static ServletRequest request;
    private String url;  
        private static final Logger logger = LoggerFactory.getLogger(NewSessionFilter.class);  
        public static final String NEW_SESSION_INDICATOR = "com.filter.NewSessionFilter"; 
        
        static HttpServletRequest request2 = (HttpServletRequest) request;
        public static void newSession(){  
            HttpSession session = request2.getSession(true);  
            session.setAttribute(NEW_SESSION_INDICATOR, true);  
       }  
        
        @Override  
        public void doFilter(ServletRequest request, ServletResponse response,  
               FilterChain chain) throws IOException, ServletException 
          {  
            //System.out.println("NewSessionFilter doFilter");  
              
            if (request instanceof HttpServletRequest) {  
                HttpServletRequest httpRequest = (HttpServletRequest) request;  
                  
                //取的url相對地址  
                String url = httpRequest.getRequestURI();    
               System.out.println(url);    
                if (httpRequest.getSession() != null) {  
                    System.out.println("NewSessionFilter doFilter httpRequest.getSession().getId()"+ httpRequest.getSession().getId());  
                   //--------復制 session到臨時變量  
                    HttpSession session = httpRequest.getSession();  
                    HashMap old = new HashMap();  
                    Enumeration keys = (Enumeration) session.getAttributeNames();  
                      
                    while (keys.hasMoreElements()){  
                        String key = (String) keys.nextElement();  
                        if (!NEW_SESSION_INDICATOR.equals(key)){  
                            old.put(key, session.getAttribute(key));  
                            session.removeAttribute(key);  
                        }  
                    }  
                      
                    if (httpRequest.getMethod().equals("POST") && httpRequest.getSession() != null   
                            && !httpRequest.getSession().isNew() && httpRequest.getRequestURI().endsWith(url)){  
                        session.invalidate();  
                        session=httpRequest.getSession(true);  
                        logger.debug("new Session:" + session.getId());  
                    }  
                      
                   //-----------------復制session  
                    for (Iterator it = old.entrySet().iterator(); it.hasNext();) {  
                        Map.Entry entry = (Entry) it.next();  
                        session.setAttribute((String) entry.getKey(), entry.getValue());  
                    }  
                }  
            }  
              
            chain.doFilter(request, response);  
           // System.out.println("NewSessionFilter doFilter end");  
       }  
        
     
        @Override  
        public void destroy() {  
           // System.out.println("NewSessionFilter destory");  
        }  
      
        @Override  
        public void init(FilterConfig filterConfig) throws ServletException {  
           // System.out.println("NewSessionFilter init");  
            //System.out.println("NewSessionFilter init end");  
        }


}

web.xml配置如下:

<!--配置過濾器 會話標識未更新 過濾  -->
    
    <filter>  
        <filter-name>NewSessionFilter</filter-name>  
        <filter-class>com.filter.NewSessionFilter</filter-class>  
    </filter> 
    <!--映射過濾器--> 
    <filter-mapping>
      <filter-name>NewSessionFilter</filter-name>
        <!--“/*”表示攔截所有的請求 -->
        <url-pattern>/*</url-pattern>
    </filter-mapping>

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 會話標識未更新 Appscan檢測結果:【已解密的登錄請求】已解決 java web過濾器防止未登錄進入界面 CorsFilter 過濾器解決跨域 服務網關ZuulFilter過濾器--如何解決跨域請求中的OPTIONS請求 Appscan漏洞之會話標識未更新 會話標識未更新(AppScan掃描結果) MVC下用戶登錄狀態校驗的問題以及解決方案--------------Action全局過濾器的使用 MVC下用戶登錄狀態校驗的問題以及解決方案--------------Action全局過濾器的使用 使用過濾器(Filter)解決請求參數中文亂碼問題(復雜方式)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM