urlrewrite-------解决大型WEB系统URL暴露安全问题

 

     未经过改写的WEB系统的URL可以泄漏工程文件的目录，为了保证WEB系统的安全，免遭黑客的攻击，我们通常要对URL进行重写，目的就是使访问者看不到真实的路径，从而可以减少黑客攻击的可能性，下面给出一个简单的登陆例子,将http://localhost:8080/urlrewrite/login.do改写为http://localhost:8080/urlrewrite/mylogin/

1.首先去CSDN下载频道搜索urlrewrite-2.6.0.jar这个文件，然后将其放在工程目录的WEB-INFO/LIB下。

2.配置web.xml

 

<?xml version="1.0" encoding="UTF-8"?><web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.5" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <servlet> <servlet-name>action</servlet-name> <servlet-class>org.apache.struts.action.ActionServlet</servlet-class> <init-param> <param-name>config</param-name> <param-value>/WEB-INF/struts-config.xml</param-value> </init-param> <init-param> <param-name>debug</param-name> <param-value>3</param-value> </init-param> <init-param> <param-name>detail</param-name> <param-value>3</param-value> </init-param> <load-on-startup>0</load-on-startup> </servlet> <servlet-mapping> <servlet-name>action</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> <filter><filter-name>UrlRewriteFilter</filter-name><filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class><init-param><param-name>logLevel</param-name><param-value>WARN</param-value></init-param></filter><filter-mapping><filter-name>UrlRewriteFilter</filter-name><url-pattern>/*</url-pattern><dispatcher>REQUEST</dispatcher><dispatcher>FORWARD</dispatcher></filter-mapping> <welcome-file-list> <welcome-file>login.jsp</welcome-file> </welcome-file-list></web-app>

 3.编写页面login.jsp.success.jsp以及failure.jsp

login.jsp<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%><%@ taglib uri="http://java.sun.com/jsp/jstl/core"prefix="c"%><%String path = request.getContextPath();String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";%><html> <body> <form action="<c:url value='/login.do'/>" method="post"> <center> 用户名:<input type="text" name="username"/> 密 码:<input type="password" name="password"/> <input type="submit"value="提交"/> </center> </form> </body></html>success.jsp<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%><html> <body> success! </body></html>failure.jsp<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%><html> <body> failure! </body></html>

4.编写action处理类及其配置struts-config.properties

LoginAction.javapackage com.zxc.struts.action;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.struts.action.Action;import org.apache.struts.action.ActionForm;import org.apache.struts.action.ActionForward;import org.apache.struts.action.ActionMapping;public class LoginAction extends Action {public ActionForward execute(ActionMapping mapping, ActionForm form,HttpServletRequest request, HttpServletResponse response) {// TODO Auto-generated method stubString username=request.getParameter("username")==null?"":request.getParameter("username");String password=request.getParameter("password")==null?"":request.getParameter("password");if(username.equals("java")&&password.equals("java"))return mapping.findForward("success");elsereturn mapping.findForward("failure");}}struts-config.properties<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE struts-config PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 1.3//EN" "http://struts.apache.org/dtds/struts-config_1_3.dtd"><struts-config> <form-beans /> <global-exceptions /> <global-forwards /> <action-mappings > <action path="/login" type="com.zxc.struts.action.LoginAction" cancellable="true" > <forward name="success" path="/success.jsp"/> <forward name="failure" path="/failure.jsp"/> </action> </action-mappings> <message-resources parameter="com.zxc.struts.ApplicationResources" /></struts-config>

5.配置urlrewrite.xml文件，注意将其放到与web.xml同级目录中，并且配置的时候正向和逆向都得配置

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 2.6//EN" "http://tuckey.org/res/dtds/urlrewrite2.6.dtd"><!--Configuration file for UrlRewriteFilter http://tuckey.org/urlrewrite/--><urlrewrite><!-- 正向 --><rule><note>Login </note><from>^/mylogin[/]?$</from><to>/login.do</to></rule><!-- 逆向 --><!-- Copy of invoice order --><outbound-rule><note>Login</note><from>/login.do</from><to>/mylogin/</to></outbound-rule></urlrewrite>

6.运行结果

输入用户名和密码之后，你会发现浏览器的地址变成了http://localhost:8080/urlrewrite/mylogin/