抵抗攻击
安全性战术包括抵抗攻击的战术、检测攻击的战术和从攻击从恢复的战术。
我在热词分析系统里用到了抵抗攻击的身份验证等,用这个系统,首先你的先登录账号
并且还得输入验证码,通过session传值到servlet来验证
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@ page import="java.util.Random"%> <%@ page import="java.io.OutputStream"%> <%@ page import="java.awt.Color"%> <%@ page import="java.awt.Font"%> <%@ page import="java.awt.Graphics"%> <%@ page import="java.awt.image.BufferedImage"%> <%@ page import="javax.imageio.ImageIO"%> <% int width = 100; int height = 32; //create the image BufferedImage image = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB); Graphics g = image.getGraphics(); // set the background color g.setColor(new Color(0xDCDCDC)); g.fillRect(0, 0, width, height); // draw the border g.setColor(Color.black); g.drawRect(0, 0, width - 1, height - 1); // create a random instance to generate the codes Random rdm = new Random(); String hash1 = Integer.toHexString(rdm.nextInt()); // make some confusion for (int i = 0; i < 50; i++) { int x = rdm.nextInt(width); int y = rdm.nextInt(height); g.drawOval(x, y, 0, 0); } // generate a random code String capstr = hash1.substring(0, 4); session.setAttribute("key11", capstr);//将验证码存储到session中 g.setColor(new Color(0, 100, 0)); g.setFont(new Font("Candara", Font.BOLD, 24)); g.drawString(capstr, 8, 24); g.dispose(); response.setContentType("image/jpeg"); out.clear(); out = pageContext.pushBody(); OutputStream strm = response.getOutputStream(); ImageIO.write(image, "jpeg", strm); strm.close(); %>
然后再servlet 接受String code1=(String) session.getAttribute("key11"); 来验证
然后对于注册登录的密码进行了md5加密。
package servlet; import java.security.MessageDigest; /** * Created by geely */ public class md5 { private static String byteArrayToHexString(byte b[]) { StringBuffer resultSb = new StringBuffer(); for (int i = 0; i < b.length; i++) resultSb.append(byteToHexString(b[i])); return resultSb.toString(); } private static String byteToHexString(byte b) { int n = b; if (n < 0) n += 256; int d1 = n / 16; int d2 = n % 16; return hexDigits[d1] + hexDigits[d2]; } /** * 返回大写MD5 * * @param origin * @param charsetname * @return */ private static String MD5Encode(String origin, String charsetname) { String resultString = null; try { resultString = new String(origin); MessageDigest md = MessageDigest.getInstance("MD5"); if (charsetname == null || "".equals(charsetname)) resultString = byteArrayToHexString(md.digest(resultString.getBytes())); else resultString = byteArrayToHexString(md.digest(resultString.getBytes(charsetname))); } catch (Exception exception) { } return resultString.toUpperCase(); } public static String MD5EncodeUtf8(String origin) { // origin = origin + PropertiesUtil.getProperty("password.salt", ""); return MD5Encode(origin, "utf-8"); } private static final String hexDigits[] = {"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f"}; }
通过调用这个方法来对输入的密码进行加密 ,然后传到dao层,进行注册登录验证。
并dao层的连接数据库用到了这个PreparedStatement可以防止登录账号的时候输入一些符号,来消除sql语句里的where 后面的条件
这样子可以保障了账号密码的安全性,防止他人窃取密码
在限制访问 我在jsp的界面上用到了session 将登录成功的账号存入了session里,在其他jsp上进行session验证,查看是否登录了账号,如果没有登录账号,将无法在所有界面查看。
<% if((String)session.getAttribute("username")==null){ %> <script type="text/javascript"> alert("您未登录,请登陆后进入该界面"); </script> <%} %>
可以防止知道主功能功能网页后未经过登录来直接进入网页上来。