Java/Servlets/Security — различия между версиями
Admin (обсуждение | вклад) м (1 версия) |
|
(нет различий)
|
Текущая версия на 09:11, 1 июня 2010
Содержание
Password Servlet
<source lang="java">
/* Wireless Java 2nd edition Jonathan Knudsen Publisher: Apress ISBN: 1590590775
- /
import javax.servlet.http.*; import javax.servlet.*; import java.io.*; import java.util.*; import org.bouncycastle.crypto.Digest; import org.bouncycastle.crypto.digests.SHA1Digest; public class PasswordServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { System.out.println("user = " + request.getParameter("user")); System.out.println("timestamp = " + request.getParameter("timestamp")); System.out.println("random = " + request.getParameter("random")); System.out.println("digest = " + request.getParameter("digest")); // Retrieve the user name. String user = request.getParameter("user"); // Look up the password for this user. String password = lookupPassword(user); // Pull the timestamp and random number (hex encoded) out // of the request. String timestamp = request.getParameter("timestamp"); String randomNumber = request.getParameter("random"); // Compare the timestamp with the last saved // timestamp for this user. Accept only timestamps // that are greater than the last saved timestamp for this user. // [not implemented] // Gather values for the message digest. byte[] userBytes = user.getBytes(); byte[] timestampBytes = HexCodec.hexToBytes(timestamp); byte[] randomBytes = HexCodec.hexToBytes(randomNumber); byte[] passwordBytes = password.getBytes(); // Create the message digest. Digest digest = new SHA1Digest(); // Calculate the digest value. digest.update(userBytes, 0, userBytes.length); digest.update(timestampBytes, 0, timestampBytes.length); digest.update(randomBytes, 0, randomBytes.length); digest.update(passwordBytes, 0, passwordBytes.length); byte[] digestValue = new byte[digest.getDigestSize()]; digest.doFinal(digestValue, 0); // Now compare the digest values. String message = ""; String clientDigest = request.getParameter("digest"); if (isEqual(digestValue, HexCodec.hexToBytes(clientDigest))) message = "User " + user + " logged in."; else message = "Login was unsuccessful."; // Send a response to the client. response.setContentType("text/plain"); response.setContentLength(message.length()); PrintWriter out = response.getWriter(); out.println(message); } private String lookupPassword(String user) { // Here you could do a real lookup based on the user name. // You might look in a text file or a database. Here, I // just use a hardcoded value. return "happy8"; } private boolean isEqual(byte[] one, byte[] two) { if (one.length != two.length) return false; for (int i = 0; i < one.length; i++) if (one[i] != two[i]) return false; return true; }
} class HexCodec {
private static final char[] kDigits = { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "a", "b", "c", "d", "e", "f" }; public static char[] bytesToHex(byte[] raw) { int length = raw.length; char[] hex = new char[length * 2]; for (int i = 0; i < length; i++) { int value = (raw[i] + 256) % 256; int highIndex = value >> 4; int lowIndex = value & 0x0f; hex[i * 2 + 0] = kDigits[highIndex]; hex[i * 2 + 1] = kDigits[lowIndex]; } return hex; } public static byte[] hexToBytes(char[] hex) { int length = hex.length / 2; byte[] raw = new byte[length]; for (int i = 0; i < length; i++) { int high = Character.digit(hex[i * 2], 16); int low = Character.digit(hex[i * 2 + 1], 16); int value = (high << 4) | low; if (value > 127) value -= 256; raw[i] = (byte)value; } return raw; } public static byte[] hexToBytes(String hex) { return hexToBytes(hex.toCharArray()); }
}
</source>
Restrict User IP
<source lang="java">
import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class RestrictUserIP extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { PrintWriter out; /** * Status code (401) indicating that the request requires HTTP * authentication. */ if (req.getRemoteAddr().equals("142.3.28.87")) { resp.sendError(HttpServletResponse.SC_UNAUTHORIZED); } resp.setContentType("text/html"); out = resp.getWriter(); out.println("<HTML>"); out.println("<BODY>");out.println("
");
out.println("Hello!");
out.println("
");
out.println("Your IP Address: " + req.getRemoteAddr());
out.println("
");
out.println("</body>"); out.println("</html>"); out.close(); }
}
</source>
Test Security
<source lang="java">
import java.io.*; import java.net.*; import javax.servlet.*; import javax.servlet.http.*; public class TestSecurity extends HttpServlet {
String h2o = ""; String h2c = "
"; String p = ""; /** * put your documentation comment here * @param req * @param res * @exception ServletException, IOException */ public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { res.setContentType("text/html"); PrintWriter out = res.getWriter(); out.println("<HTML>"); out.println("<HEAD><TITLE>Hello World</TITLE></HEAD>"); out.println("<BODY>"); out.println("Test Security"); try { out.println(h2o + "Information..." + h2c); out.println(" Security Manager: " + getSecurityManager().getClass().getName() + p); out.println(" ClassLoader: " + this.getClass().getClassLoader() + p); // weblogic.utils.classloaders.GenericClassLoader gcl = (weblogic.utils.classloaders.GenericClassLoader)this.getClass().getClassLoader(); // gcl.setDebug( true ); out.println(" CodeSource: " + this.getClass().getProtectionDomain().getCodeSource().getLocation() + p); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } /* try { out.println( h2o + "Trying some dangerous J2EE calls..." + h2c ); String hack = request.getParameter( "hack" ); Cookie[] cookies = request.getCookies(); out.println( " -- allowed -- " + p ); int x = 1 + 2 + 3; out.println( hack ); // use it int y = 1 + 2 + 3; out.println( cookies ); // use it String m = "COOKIE: " + cookies[0]; // use it again cookies = new Cookie[10]; // reset it String n = "COOKIE: " + cookies[5]; // use it again } catch( Exception e ) { out.println( " -- rejected -- " + e.getMessage() + p ); } */ try { out.println(h2o + "Attempting file write to d:/Java..." + h2c); File f = new File("d:/Java/blah.txt"); FileWriter fw = new FileWriter(f); fw.write("test\n"); fw.close(); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } try { out.println(h2o + "Attempting file write to d:/Java/TestServlet..." + h2c); File f = new File("d:/Java/TestServlet/blah.txt"); FileWriter fw = new FileWriter(f); fw.write("test\n"); fw.close(); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } try { out.println(h2o + "Attempting file read to c:/Ntdetect..." + h2c); File f = new File("c:/Ntdetect.ru"); FileReader fr = new FileReader(f); int c = fr.read(); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } try { out.println(h2o + "Attempting file read to c:/weblogic/weblogic.properties..." + h2c); File f = new File("c:/weblogic/weblogic.properties"); FileReader fr = new FileReader(f); int c = fr.read(); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } try { out.println(h2o + "Attempting to connect to yahoo.ru..." + h2c); Socket s = new Socket("yahoo.ru", 8080); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } try { out.println(h2o + "Attempting to connect to hacker.ru..." + h2c); Socket s = new Socket("hacker.ru", 8080); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } try { out.println(h2o + "Attempting to listen on port 37337..." + h2c); ServerSocket s = new ServerSocket(37337); Socket c = s.accept(); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } try { out.println(h2o + "Attempting to listen on port 7001..." + h2c); ServerSocket s = new ServerSocket(7001); Socket c = s.accept(); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } /* try { out.println( h2o + "Attempting native call..." + h2c ); native0( 1 ); out.println( " -- allowed -- " + p ); } catch( Exception e ) { out.println( " -- rejected -- " + e.getMessage() + p ); } */ try { out.println(h2o + "Attempting exec..." + h2c); Runtime.getRuntime().exec("dir"); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } try { out.println(h2o + "Attempting system exit..." + h2c); out.println(" -- allowed -- " + p); } catch (Exception e) { out.println(" -- rejected -- " + e.getMessage() + p); } out.println("</BODY></HTML>"); } } </source>