- 典型的安全问题:假冒者、窃听者、非法升级者
- 认证方式: Base64 、摘要认证 、客户端证书、表单认证,重点熟悉摘要算法( HASH 、 MD5 等)
- 安全机制:授权、认证、数据完整性、机密性
- 80 端口、 443 端口
- 通过 HTTP 、 HTTPS 传输数据的区别, SSL 等概念
- 重放攻击、 SQL 注入等
【参考】
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<!-- Define servlets that are included in the web application -->
<servlet>
<servlet-name>jack</servlet-name>
<servlet-class>sample.Jack</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>dog</servlet-name>
<servlet-class>sample.Dog</servlet-class>
<load-on-startup>2</load-on-startup>
<security-role-ref>
<role-name>VIP</role-name>
<role-link>Member</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>jack</servlet-name>
<url-pattern>/abc/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dog</servlet-name>
<url-pattern>/abc/3</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dog</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/WEB-INF/jsp/exception/common-exception.jsp</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/jsp/exception/404-exception.jsp</location>
</error-page>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>abc/3</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-role>
<role-name>Admin</role-name>
</security-role>
<security-role>
<role-name>Member</role-name>
</security-role>
<security-role>
<role-name>Guest</role-name>
</security-role>
<!--<login-config>-->
<!--<auth-method>BASIC 明文认证</auth-method>-->
<!--</login-config>-->
<!--<login-config>-->
<!--<auth-method>DIGEST 摘要认证</auth-method>-->
<!--</login-config>-->
<!--<login-config>-->
<!--<auth-method>CLIENT-CERT 客户端证书</auth-method>-->
<!--</login-config>-->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginPage.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>UpdateRecipe</web-resource-name>
<url-pattern>/abc/3</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Member</role-name>
</auth-constraint>
<!--<user-data-constraint>-->
<!--<transport-guarantee>CONFIDENTIAL</transport-guarantee>-->
<!--</user-data-constraint>-->
<!-- 对资源进行传输保证(不至于明文传输密码)
tomcat 需要开启 8443 端口,并且需要一个证书,涉及到 HTTPS、SSL 等安全协议 -->
</security-constraint>
</web-app>
loginPage.jsp :
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Authorization</title>
</head>
<body>
<form method="post" action="j_security_check">
<p><input type="text" name="j_username" /></p>
<p><input type="secret" name="j_password" /></p>
<p><input type="submit" value="Enter"></p>
</form>
</body>
</html>
Servlet :
package sample;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
public class Dog extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setContentType("text/html");
PrintWriter out = resp.getWriter();
if (req.isUserInRole("VIP")) { // 【授权】程序式授权,对应的是在 web.xml 中的声明式授权
out.println("Only VIP can see.");
out.println(req.getRemoteUser()); // 【认证】确认用户身份,打印出来是 username
}
out.println("he is not jack.");
}
}