亚洲精品理论电影在线观看,亚洲综合激情五月色一区,亚洲无人区码一二三码区别图片

隨筆分類(103)

搜索

積分與排名

積分 - 413991

排名 - 135

最新評論

1.?re: JBoss deploy 出現 OutOfMemoryError : PermGen space
Tomcat正在運行當中，是否可以刪除Work文件夾，會產生什么影響？變更Webapps目錄下應用程序的名稱，又會產生什么樣的影響？
--meShare2011
2.?re: Share Session
請教分布式環境下session sharing的實現要怎么做？有哪些比較好的方案？謝謝。
--ahan
3.?re: IntelliJ IDEA 8 注冊機/注冊碼/keygen/破解版
有注冊碼的給發個唄，我的下不來
--menghuannvxia
4.?re: 盛通置業-合肥城市風景小區小偷一周連偷六家，安徽合居美尚物業熟視無睹
除了亂收費，什么都不會，，，，，，狗屎
】
--魯人
5.?re: 盛通置業-合肥城市風景小區小偷一周連偷六家，安徽合居美尚物業熟視無睹
@RP
什么他媽的破物業，只知道要錢，什么事解決不了，上班時間久知道打情罵俏，混蛋公司
--魯人

閱讀排行榜

禁用JavaWeb應用中URL上包含的jsessionid

Java Web 應用似乎總有這樣的情況，有事沒事總是要在 URL 后面加上個 jsessionid，而且似乎不能使用配置的方式直接禁用 URL 傳遞 sessionid，這樣，就比較容易造成安全性的問題，或者在瀏覽器地址欄里留下一堆很不好看的地址，在 Struts2 中，使用了 url 標簽的所有鏈接，甚至 CSS, JS 這樣的東西，都會加上 jsessionid，如何去禁用呢，搜索國內的相關文章，無功而返，詢問我們過去的架構師，也沒有做過，只好想辦法去找國外的網站，找到了這樣的一篇文章。

http://randomcoder.com/articles/jsessionid-considered-harmful

通過加入 Filter 的方式過濾掉 URL 中包含的 jsessionid，再重新包裝 Response 返回給瀏覽器。

因為沒有太多東西，就不多解釋了，大家拿了用就可以了。

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;
import java.io.IOException;

/**
* Servlet filter which disables URL-encoded session identifiers.
* <p/>
* <pre>
* Copyright (c) 2006, Craig Condit. All rights reserved.
* <p/>
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
* <p/>
*   * Redistributions of source code must retain the above copyright notice,
*     this list of conditions and the following disclaimer.
*   * Redistributions in binary form must reproduce the above copyright notice,
*     this list of conditions and the following disclaimer in the documentation
*     and/or other materials provided with the distribution.
* <p/>
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
* </pre>
*/
@SuppressWarnings("deprecation")
public class DisableUrlSessionFilter implements Filter {

    /**
     * Filters requests to disable URL-based session identifiers.
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // skip non-http requests
        if (!(request instanceof HttpServletRequest)) {
            chain.doFilter(request, response);
            return;
        }

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;

        // clear session if session id in URL
        if (httpRequest.isRequestedSessionIdFromURL()) {
            HttpSession session = httpRequest.getSession();
            if (session != null) session.invalidate();
        }

        // wrap response to remove URL encoding
        HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(httpResponse) {
            @Override
            public String encodeRedirectUrl(String url) {
                return url;
            }

            @Override
            public String encodeRedirectURL(String url) {
                return url;
            }

            @Override
            public String encodeUrl(String url) {
                return url;
            }

            @Override
            public String encodeURL(String url) {
                return url;
            }
        };

        // process next request in chain
        chain.doFilter(request, wrappedResponse);
    }

    /**
     * Unused.
     */
    public void init(FilterConfig config) throws ServletException {
    }

    /**
     * Unused.
     */
    public void destroy() {
    }

-------------------------------------------------------------------------------------------------
順便做個小廣告鏈客中國 www.linkedcast.cn 上線運行，歡迎廣大 Blogger 使用

posted on 2007-09-08 20:13 steady 閱讀(5682) 評論(4) 編輯收藏所屬分類: Java

常用鏈接

我參與的團隊

隨筆分類(103)

搜索

積分與排名

最新評論

閱讀排行榜


只有注冊用戶登錄后才能發表評論。




網站導航: 博客園 IT新聞 Chat2DB C++博客博問管理
相關文章: IntelliJ IDEA 10.0 注冊機/注冊碼/keygen/破解版 jsp-api.jar 引發的頁面編譯錯誤簡單的玩了下BeanShell HttpClient連接的強制釋放 jBPM 整合 Drools(JBoss Rule) - 整合角色分配禁用JavaWeb應用中URL上包含的jsessionid Struts2 整合 Discuz 論壇 (1) Quartz 項目應用筆記-補充 Quartz 項目應用筆記