JAVA Web 安全机制-使用filter验证session用户和页面缓存有关问题处理

1.WEB的信息安全隐患之一: 未授权用户通过直接在IE中输入URL直接登录系统

???? 解决办法:通过配置filter过滤无效用户的连接请求.

2.WEB的信息安全隐患之二: 合法用户"注销"后,在未关闭浏览器的情况下,点击浏览器"后退"按钮,可从与本地页面缓存中读取? 数据,绕过了服务端filter过滤.

?? 解决办法:在必要的页面(包含敏感信息) 设定页面缓存限制.

?

1.配置filter(web.xml)

......

<filter>
??<filter-name>Authentication</filter-name> <!-- Authentication过滤器别名 -->
??<filter-class>com.mycompany.myweb.management.util.AuthenticationFilter</filter-class> <!-- 过滤器Authentication指向的具体类 -->
??<init-param>
???<param-name>onError</param-name> <!-- 过滤器初始化参数配置 -->
???<param-value>/Logon.do</param-value> <!--?这里指定无效用户跳转方向 -->
??</init-param>
?</filter>?
?<filter-mapping>
?<filter-name>Authentication</filter-name>
?<url-pattern>/management/*</url-pattern> <!-- management/*是要过滤的文件的位置,表示过滤management文件夹下的所内容。 -->
?</filter-mapping>
?<filter-mapping>
?<filter-name>Authentication</filter-name>
?<url-pattern>/Main.do</url-pattern> <!-- Main.do/*是要过滤的请求,表示过滤此请求指定的页面的所内容。 -->
?</filter-mapping>

......

AuthenticationFilter过滤器实现类:

package com.mycompany.myweb.management.util;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.struts.Globals;
import org.apache.struts.action.*;

public class AuthenticationFilter implements Filter {//一定要使用Filter接口
?private FilterConfig filterConfig;

?private String onErrorUrl;

?public void init(FilterConfig config) throws ServletException {
? filterConfig = config;
? onErrorUrl = filterConfig.getInitParameter("onError");
? if (onErrorUrl == null || "".equals(onErrorUrl)) {
?? onErrorUrl = "onError";
? }
?}

?public void doFilter(ServletRequest request, ServletResponse response,
?? FilterChain next) throws IOException, ServletException {
? HttpServletRequest httpRequest = (HttpServletRequest) request;
? HttpServletResponse httpResponse = (HttpServletResponse) response;
? HttpSession httpSession = httpRequest.getSession();
/**
? * @author?justin ray?
? * @see?页面缓存设定
? * <br>确保浏览器不缓存页面数据
? */?

httpResponse.setHeader("Cache-Control","no-cache");
? httpResponse.setHeader("Cache-Control","no-store");
? httpResponse.setDateHeader("Expires", 0);
? httpResponse.setHeader("Pragma","no-cache");

? /**
? * @author?justin ray?
? * @see?过滤未登录用户无效请求
? * <br>未登录用户请求跳转到/Logon.do
? */?
? if (httpSession.getAttribute("ePAccountInfo") == null) {
?? ActionErrors errors = new ActionErrors();
?? errors.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("没有登录"));
?? httpRequest.setAttribute(Globals.ERROR_KEY, errors);
?? httpRequest.getRequestDispatcher(onErrorUrl).forward(httpRequest,
???? httpResponse);
? } else
?? next.doFilter(request, response);
?}

?public void destroy() {
?}
?
}