http://www.jexp.ru/index.php?action=history&feed=atom&title=Java%2FServlets%2FSecurity
Java/Servlets/Security - История изменений
2026-04-21T20:35:50Z
История изменений этой страницы в вики
MediaWiki 1.30.0
http://www.jexp.ru/index.php?title=Java/Servlets/Security&diff=6303&oldid=prev
Admin: 1 версия
2010-06-01T06:11:27Z
<p>1 версия</p>
<table class="diff diff-contentalign-left" data-mw="interface">
<tr style="vertical-align: top;" lang="ru">
<td colspan="1" style="background-color: white; color:black; text-align: center;">← Предыдущая</td>
<td colspan="1" style="background-color: white; color:black; text-align: center;">Версия 06:11, 1 июня 2010</td>
</tr><tr><td colspan="2" style="text-align: center;" lang="ru"><div class="mw-diff-empty">(нет различий)</div>
</td></tr></table>
Admin
http://www.jexp.ru/index.php?title=Java/Servlets/Security&diff=6302&oldid=prev
в 18:01, 31 мая 2010
2010-05-31T18:01:43Z
<p></p>
<p><b>Новая страница</b></p><div>== Password Servlet ==<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<!-- start source code --><br />
<br />
<source lang="java"><br />
/*<br />
Wireless Java 2nd edition <br />
Jonathan Knudsen<br />
Publisher: Apress<br />
ISBN: 1590590775 <br />
*/<br />
import javax.servlet.http.*;<br />
import javax.servlet.*;<br />
import java.io.*;<br />
import java.util.*;<br />
import org.bouncycastle.crypto.Digest;<br />
import org.bouncycastle.crypto.digests.SHA1Digest;<br />
public class PasswordServlet extends HttpServlet {<br />
public void doGet(HttpServletRequest request,<br />
HttpServletResponse response)<br />
throws ServletException, IOException {<br />
System.out.println("user = " + request.getParameter("user"));<br />
System.out.println("timestamp = " + request.getParameter("timestamp"));<br />
System.out.println("random = " + request.getParameter("random"));<br />
System.out.println("digest = " + request.getParameter("digest"));<br />
<br />
// Retrieve the user name.<br />
String user = request.getParameter("user");<br />
// Look up the password for this user.<br />
String password = lookupPassword(user);<br />
// Pull the timestamp and random number (hex encoded) out<br />
// of the request.<br />
String timestamp = request.getParameter("timestamp");<br />
String randomNumber = request.getParameter("random");<br />
<br />
// Compare the timestamp with the last saved<br />
// timestamp for this user. Accept only timestamps<br />
// that are greater than the last saved timestamp for this user.<br />
// [not implemented]<br />
<br />
// Gather values for the message digest.<br />
byte[] userBytes = user.getBytes();<br />
byte[] timestampBytes = HexCodec.hexToBytes(timestamp);<br />
byte[] randomBytes = HexCodec.hexToBytes(randomNumber);<br />
byte[] passwordBytes = password.getBytes();<br />
// Create the message digest.<br />
Digest digest = new SHA1Digest();<br />
// Calculate the digest value.<br />
digest.update(userBytes, 0, userBytes.length);<br />
digest.update(timestampBytes, 0, timestampBytes.length);<br />
digest.update(randomBytes, 0, randomBytes.length);<br />
digest.update(passwordBytes, 0, passwordBytes.length);<br />
byte[] digestValue = new byte[digest.getDigestSize()];<br />
digest.doFinal(digestValue, 0);<br />
<br />
// Now compare the digest values.<br />
String message = "";<br />
String clientDigest = request.getParameter("digest");<br />
if (isEqual(digestValue, HexCodec.hexToBytes(clientDigest)))<br />
message = "User " + user + " logged in.";<br />
else<br />
message = "Login was unsuccessful.";<br />
// Send a response to the client.<br />
response.setContentType("text/plain");<br />
response.setContentLength(message.length());<br />
PrintWriter out = response.getWriter();<br />
out.println(message);<br />
}<br />
<br />
private String lookupPassword(String user) {<br />
// Here you could do a real lookup based on the user name.<br />
// You might look in a text file or a database. Here, I<br />
// just use a hardcoded value.<br />
return "happy8";<br />
}<br />
<br />
private boolean isEqual(byte[] one, byte[] two) {<br />
if (one.length != two.length) return false;<br />
for (int i = 0; i < one.length; i++)<br />
if (one[i] != two[i]) return false;<br />
return true;<br />
}<br />
}<br />
class HexCodec {<br />
private static final char[] kDigits = {<br />
"0", "1", "2", "3", "4", "5", "6", "7", "8", "9",<br />
"a", "b", "c", "d", "e", "f"<br />
};<br />
<br />
public static char[] bytesToHex(byte[] raw) {<br />
int length = raw.length;<br />
char[] hex = new char[length * 2];<br />
for (int i = 0; i < length; i++) {<br />
int value = (raw[i] + 256) % 256;<br />
int highIndex = value >> 4;<br />
int lowIndex = value & 0x0f;<br />
hex[i * 2 + 0] = kDigits[highIndex];<br />
hex[i * 2 + 1] = kDigits[lowIndex];<br />
}<br />
return hex;<br />
}<br />
<br />
public static byte[] hexToBytes(char[] hex) {<br />
int length = hex.length / 2;<br />
byte[] raw = new byte[length];<br />
for (int i = 0; i < length; i++) {<br />
int high = Character.digit(hex[i * 2], 16);<br />
int low = Character.digit(hex[i * 2 + 1], 16);<br />
int value = (high << 4) | low;<br />
if (value > 127) value -= 256;<br />
raw[i] = (byte)value;<br />
}<br />
return raw;<br />
}<br />
<br />
public static byte[] hexToBytes(String hex) {<br />
return hexToBytes(hex.toCharArray());<br />
}<br />
}<br />
<br />
<br />
</source><br />
<br />
<br />
<!-- end source code --><br />
<br />
<br />
<br />
<br />
<br />
== Restrict User IP ==<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<!-- start source code --><br />
<br />
<source lang="java"><br />
<br />
import java.io.IOException;<br />
import java.io.PrintWriter;<br />
import javax.servlet.ServletException;<br />
import javax.servlet.http.HttpServlet;<br />
import javax.servlet.http.HttpServletRequest;<br />
import javax.servlet.http.HttpServletResponse;<br />
public class RestrictUserIP extends HttpServlet {<br />
public void doGet(HttpServletRequest req, HttpServletResponse resp)<br />
throws ServletException, IOException {<br />
PrintWriter out;<br />
/**<br />
* Status code (401) indicating that the request requires HTTP<br />
* authentication.<br />
*/<br />
if (req.getRemoteAddr().equals("142.3.28.87")) {<br />
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);<br />
}<br />
resp.setContentType("text/html");<br />
out = resp.getWriter();<br />
out.println("<HTML>");<br />
out.println("<BODY>");<br />
out.println("<H1>");<br />
out.println("Hello!");<br />
out.println("<BR>");<br />
out.println("Your IP Address: " + req.getRemoteAddr());<br />
out.println("</H1>");<br />
out.println("</body>");<br />
out.println("</html>");<br />
out.close();<br />
}<br />
}<br />
<br />
</source><br />
<br />
<br />
<!-- end source code --><br />
<br />
<br />
<br />
<br />
<br />
== Test Security ==<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<!-- start source code --><br />
<br />
<source lang="java"><br />
import java.io.*;<br />
import java.net.*;<br />
import javax.servlet.*;<br />
import javax.servlet.http.*;<br />
public class TestSecurity extends HttpServlet {<br />
String h2o = "<H2>";<br />
String h2c = "</H2>";<br />
String p = "<p>";<br />
/**<br />
* put your documentation comment here<br />
* @param req<br />
* @param res<br />
* @exception ServletException, IOException<br />
*/<br />
public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {<br />
res.setContentType("text/html");<br />
PrintWriter out = res.getWriter();<br />
out.println("<HTML>");<br />
out.println("<HEAD><TITLE>Hello World</TITLE></HEAD>");<br />
out.println("<BODY>");<br />
out.println("<BIG>Test Security</BIG>");<br />
try {<br />
out.println(h2o + "Information..." + h2c);<br />
out.println(" Security Manager: " + getSecurityManager().getClass().getName()<br />
+ p);<br />
out.println(" ClassLoader: " + this.getClass().getClassLoader()<br />
+ p);<br />
// weblogic.utils.classloaders.GenericClassLoader gcl = (weblogic.utils.classloaders.GenericClassLoader)this.getClass().getClassLoader();<br />
// gcl.setDebug( true );<br />
out.println(" CodeSource: " + this.getClass().getProtectionDomain().getCodeSource().getLocation()<br />
+ p);<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
/*<br />
try<br />
{<br />
out.println( h2o + "Trying some dangerous J2EE calls..." + h2c );<br />
String hack = request.getParameter( "hack" );<br />
Cookie[] cookies = request.getCookies();<br />
out.println( " -- allowed -- " + p );<br />
int x = 1 + 2 + 3;<br />
out.println( hack ); // use it<br />
int y = 1 + 2 + 3;<br />
out.println( cookies ); // use it<br />
String m = "COOKIE: " + cookies[0]; // use it again<br />
cookies = new Cookie[10]; // reset it<br />
String n = "COOKIE: " + cookies[5]; // use it again<br />
}<br />
catch( Exception e ) { out.println( " -- rejected -- " + e.getMessage() + p ); }<br />
*/<br />
try {<br />
out.println(h2o + "Attempting file write to d:/Java..." + h2c);<br />
File f = new File("d:/Java/blah.txt");<br />
FileWriter fw = new FileWriter(f);<br />
fw.write("test\n");<br />
fw.close();<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
try {<br />
out.println(h2o + "Attempting file write to d:/Java/TestServlet..."<br />
+ h2c);<br />
File f = new File("d:/Java/TestServlet/blah.txt");<br />
FileWriter fw = new FileWriter(f);<br />
fw.write("test\n");<br />
fw.close();<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
try {<br />
out.println(h2o + "Attempting file read to c:/Ntdetect..." + h2c);<br />
File f = new File("c:/Ntdetect.ru");<br />
FileReader fr = new FileReader(f);<br />
int c = fr.read();<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
try {<br />
out.println(h2o + "Attempting file read to c:/weblogic/weblogic.properties..."<br />
+ h2c);<br />
File f = new File("c:/weblogic/weblogic.properties");<br />
FileReader fr = new FileReader(f);<br />
int c = fr.read();<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
try {<br />
out.println(h2o + "Attempting to connect to yahoo.ru..." + h2c);<br />
Socket s = new Socket("yahoo.ru", 8080);<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
try {<br />
out.println(h2o + "Attempting to connect to hacker.ru..." + h2c);<br />
Socket s = new Socket("hacker.ru", 8080);<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
try {<br />
out.println(h2o + "Attempting to listen on port 37337..." + h2c);<br />
ServerSocket s = new ServerSocket(37337);<br />
Socket c = s.accept();<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
try {<br />
out.println(h2o + "Attempting to listen on port 7001..." + h2c);<br />
ServerSocket s = new ServerSocket(7001);<br />
Socket c = s.accept();<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
/*<br />
try<br />
{<br />
out.println( h2o + "Attempting native call..." + h2c );<br />
native0( 1 );<br />
out.println( " -- allowed -- " + p );<br />
} <br />
catch( Exception e ) { out.println( " -- rejected -- " + e.getMessage() + p ); }<br />
*/<br />
try {<br />
out.println(h2o + "Attempting exec..." + h2c);<br />
Runtime.getRuntime().exec("dir");<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
try {<br />
out.println(h2o + "Attempting system exit..." + h2c);<br />
out.println(" -- allowed -- " + p);<br />
} catch (Exception e) {<br />
out.println(" -- rejected -- " + e.getMessage() + p);<br />
}<br />
out.println("</BODY></HTML>");<br />
}<br />
}<br />
<br />
<br />
</source><br />
<br />
<br />
<!-- end source code --></div>