如何保护我的Java Web应用程序? [英] How to secure my java web application?
问题描述
我在其中,当用户登录他们到达 mainjsp.jsp 页面的Web应用程序。
I have a web application in which when users login they reach the mainjsp.jsp page.
在此页面很少有文本框的日期,并根据从另一个下拉日期和选择,数据提交。这个数据是由的servlet 检索并带回 mainjsp 页
In this page there are few text-box for dates and based on dates and selection from another drop-down, data is submitted. This data is retrieved by a servlet and brought back to the mainjsp page.
我担心的是安全问题。现在,当我复制粘贴 mainjsp.jsp 页的URL,并将其粘贴在任何浏览器出现此页面,因为它是。我不希望这种情况发生。我希望用户先登录,所以我想我的web应用程序安全。
My concern is about security. Now when I copy paste the mainjsp.jsp page's URL and paste it in any browser this page appears as it is. I don't want this to happen. I want the users to login first and hence I want my web application secure.
我没有任何想法如何做到这一点。你能告诉我怎样才能做到这一点?
I don't have any idea how to do this. Could you please tell me how can I achieve this?
也请告诉我,我怎么做到这一点任何在web应用程序的页面。用户不应该能够访问任何页面,如果他们还没有登录。
Also please tell me how do I achieve this for any of the pages in the web-application. Users should not be able to access any page if they haven't logged in.
推荐答案
您应该有基于表单的认证即可。这里是一个应该被添加到您的 web.xml中的片段
You should have Form based authentication. Here is the snippet which should be added to your web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>pagesWitUnrestrictedAccess</web-resource-name>
<description>No Description</description>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<description>No Description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
一些参考:
- Securing Web Applications
- Securing Java EE 5 Web Applications
- Declaring Security Requirements in a Deployment Descriptor
这篇关于如何保护我的Java Web应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
